The roadwarrior carol sets up a connection to gateway moon. Using the left|rightprotoport selectors, the IPsec tunnel is restricted to the ICMP protocol. Upon the successful establishment of the IPsec tunnel, firewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled ICMP traffic. In order to test both tunnel and firewall, carol pings the client alice behind the gateway moon as well as the inner interface of the gateway. For the latter ping lefthostaccess=yes is required.
By default, the native IPsec stack of the Linux 2.6 kernel transmits protocols and ports not covered by any IPsec SA in the clear. Thus by selectively opening the firewalls, carol sets up an SSH session to alice that is not going through the tunnel.