The roadwarriors carol and dave set up a connection each to gateway moon. The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm with a cryptographical strength of 128 bits. Authentication is based on the BLISS algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for carol, dave and moon, respectively.

Both carol and dave request a virtual IP via the IKEv2 configuration payload. The gateway moon assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously increasing order.

leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, carol and dave then ping the client alice behind the gateway moon. The source IP addresses of the two pings will be the virtual IPs carol1 and dave1, respectively.