All traffic from the clients alice and venus is tunneled by default gateway moon to VPN gateway sun. In order to prevent local traffic within the 10.1.0.0/16 subnet to enter the tunnel, a local-net shunt policy with type=pass is set up. In order for the shunt to work, automatic route insertion must be disabled by adding install_routes = no to the charon section of strongswan.conf.

In order to demonstrate the use of type=drop shunt policies, the venus-icmp connection prevents ICMP traffic to and from venus to use the IPsec tunnel by dropping such packets. Since this policy does not apply to the local net, venus and moon can still ping each other.