One connection with two CHILD_SAs between the hosts and subnet behind the
gateways <b>moon</b> and <b>sun</b>, respectively, are set up using XFRM
interfaces.
<p/>
The gateways use <b>route-based forwarding</b> with <b>XFRM interfaces</b>, with
firewall rules to allow traffic to pass. Both peers use connection-defined
interface IDs so all CHILD_SAs share the same XFRM interface. The IKE daemon
does not install routes for CHILD_SAs with outbound interface ID, so routes for
the target subnets are installed statically or via updown events.
<p/>
Both gateways use separate interfaces for in- and outbound traffic (which is
completely optional and mainly for testing purposes, a single interface will
usually be enough). Gateway <b>moon</b> creates them before initiating the
connection, while gateway <b>sun</b> dynamically creates the interfaces via
ike-updown event using the passed unique generated interface IDs.
<p/>
Clients <b>alice</b> and <b>venus</b> behind gateway <b>moon</b> ping client
<b>bob</b> located behind gateway <b>sun</b>.