By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses an OCSP signer certificate issued by the strongSwan CA. This certificate contains an OCSPSigning extended key usage flag. carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou. Therefore no special ca section information is needed in moon's ipsec.conf.
carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.