A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
The authentication is based on <b>X.509 certificates</b>. Upon the successful
establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
After a while the CHILD_SA is rekeyed by <b>moon</b> (after a deliberately short
time in this test scenario).
In order to test both tunnel and firewall after the rekeying, client <b>alice</b>
behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>
twice, once right after the rekeying and once after the old inbound SA has been
deleted.