The roadwarrior carol sets up a connection to gateway moon. The authentication is based on X.509 certificates. To authorize clients, moon expects attribute certificates sent inline in IKEv2 CERT payloads. Carol has attribute certificates for both the sales and the finance groups. The attribute certificate for finance is not valid anymore, hence carol gets access to the sales connection only.
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, carol tries to ping both alice and venus, but only the ping for the sales related host venus succeeds.