The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. To authorize clients, moon uses locally cached attribute certificates. While for carol a valid attribute certificate for the group sales is available, dave's attribute certificates are either expired or do not grant permissions for the sales group.
Upon the successful establishment of the IPsec tunnels, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave try to ping the client alice behind the gateway moon, but dave fails to do so.