The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. Each roadwarrior shares its own Pre-Shared Key (PSK) with the gateway sun.
Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice and venus ping the client bob behind the gateway sun.