The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. To authorize clients, moon expects attribute certificates sent inline in IKEv2 CERT payloads. Carol provides a valid attribute certificate for the group sales, but dave offers two invalid attribute certificates: One is not for the sales group, and the other is issued by an AA that has been expired.
Upon the successful establishment of the IPsec tunnels, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave try to ping the client alice behind the gateway moon, but dave fails to do so.