In order to support <b>Differentiated Services</b> (DiffServ), two parallel IPsec
connections between the subnets behind the gateways <b>moon</b> and <b>sun</b> are
set up. Using <b>XFRM marks</b> one IPsec SA is designated for <b>Best Effort</b> (BE)
traffic and the second SA for <b>Expedited Forwarding</b> (EF) traffic.  To guarantee
that the CHILD_SA with the correct mark is selected on the responder side, labels
are used and negotiated via IKEv2. The authentication is based on <b>X.509 certificates</b>.
<p/>
Upon the successful establishment of the IPsec tunnel, the updown script automatically
inserts iptables-based firewall rules that let pass the tunneled traffic
In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
pings client <b>bob</b> located behind gateway <b>sun</b>.