The VPN gateway moon controls the access to the hosts alice and venus by means of two different Intermediate CAs. Access to alice is granted to users presenting a certificate issued by the Research CA whereas venus can only be reached with a certificate issued by the Sales CA. The roadwarriors carol and dave have certificates from the Research CA and Sales CA, respectively. Therefore carol can access alice and dave can reach venus.
By setting strictcrlpolicy=yes the CRLs from the strongSwan, Research and Sales CAs must be fetched from the LDAP server winnetou first, before the connection setups can be successfully completed.