A connection between the subnets behind the gateways moon and sun is set up using GRE interfaces.

The gateways use route-based forwarding with GRE tunnels, with firewall rules to allow traffic to pass. The IPsec traffic selector is limited to the GRE protocol, specific routing is achieved with routes on the GRE interfaces. The IKE daemon is configured to not install routes with charon.install_routes=0, and static routes are installed for the target subnets on the VTI interfaces.

Client alice behind gateway moon pings client bob located behind gateway sun.