The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
virtual IP address to router <b>moon</b>. A special <b>nat_updown</b> script on <b>moon</b>
dynamically inserts a source NAT rule which maps the IP address of client <b>alice</b> to
the virtual IP of <b>moon</b>. This allows <b>alice</b> to access client <b>bob</b> via the
established IPsec tunnel.