diff --git a/README.md b/README.md
index 45485b6..2e748fa 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,13 @@ ping 10.1.1.11
 # ✅ Tests project-project routing via SNA transfer network
 ```
 
+### 💻 From appliance02 (on-prem) to machine02 (cloud internal)
+
+```bash
+ping 10.1.2.11
+# ✅ Tests project-project routing via SNA transfer network
+```
+
 ### ❌ From machine01 (cloud) to appliance02 (VPN-disconnected)
 
 If you remove the static route that directs 192.168.1.0/24 through appliance01:
diff --git a/cloud-init.yaml b/cloud-init.yaml
index 91f918d..25bdc75 100644
--- a/cloud-init.yaml
+++ b/cloud-init.yaml
@@ -40,18 +40,5 @@ runcmd:
   - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
   - sysctl -p
 
-  # Set up iptables rules
-  # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
-  # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
-  # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE
-
-  # Accept IPsec traffic
-  # - iptables -A INPUT -p udp --dport 500 -j ACCEPT
-  # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
-  # - iptables -A INPUT -p esp -j ACCEPT
-  # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
-  # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT
-
-  # Enable and start strongSwan
-  # - systemctl enable strongswan-starter
-  # - systemctl start strongswan-starter
\ No newline at end of file
+  - ipsec start
+  - ipsec up net-net
\ No newline at end of file
diff --git a/docs/network-architecture.png b/docs/network-architecture.png
index 999ae42..f147a84 100644
Binary files a/docs/network-architecture.png and b/docs/network-architecture.png differ