By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses a self-signed OCSP signer certificate that must be imported locally by the peers into /etc/ipsec.d/ocspcerts/. A strongswan ca section in ipsec.conf defines an OCSP URI pointing to winnetou.
carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.