All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
In order for the shunt to work, automatic route insertion must be disabled
by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
<p/>
In order to demonstrate the use of <b>type=drop</b> shunt policies, the
<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
to use the IPsec tunnel by dropping such packets. Thanks to the <b>local-net</b>
pass shunt, <b>venus</b> and <b>moon</b> can still ping each other, though.