A tunnel that will connect the subnets behind the gateways moon and sun, respectively, is preconfigured by installing a %trap eroute on gateway moon by means of the setting auto=route in ipsec.conf. A subsequent ping issued by client alice behind gateway moon to bob located behind gateway sun triggers the %trap eroute and leads to the automatic establishment of the subnet-to-subnet tunnel.
The updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic.