The roadwarriors alice and venus sitting behind the NAT router moon set up tunnels to gateway sun. They tunnel all traffic to the gateway. In order to prevent local traffic within the subnet to enter the tunnel, both set up a local-net shunt policy with mode = pass.

In order to test the tunnel, the NAT-ed hosts alice and venus ping each other and the client bob behind the gateway sun.