The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
and PH_IP_DAVE10, respectively.
<p/>
In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
<p/>
<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
and from <b>alice</b> and <b>venus</b>, respectively.
<p/>
The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.