The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
let pass the tunneled traffic. In order to test the double NAT-ed IPsec
tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.