The roadwarriors alice and venus sitting behind the router moon set up tunnels to gateway sun. Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.

In order to differentiate between the tunnels to alice and venus, respectively, XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using the mark_in and mark_out parameters in ipsec.conf.

iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to and from alice and venus, respectively.

The script designated by leftupdown=/etc/mark_updown automatically inserts iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules that let pass the tunneled traffic. In order to test the tunnel, the hosts alice and venus ping the client bob behind the gateway sun.