The roadwarriors carol and dave set up an IPv6-in-IPv4 tunnel connection each to gateway moon. The authentication is based on X.509 certificates. Both carol and dave request a virtual IPv6 address from moon via the IKEv1 mode config payload.
Upon the successful establishment of the ESP tunnels, leftfirewall=yes automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave send an IPv6 ICMP request to the client alice behind the gateway moon using the ping6 command.