This scenario tests make-before-break reauthentication using overlapping IKE_SAs by setting the make_before_break strongswan.conf option. The initiator carol reauthenticates the IKE_SA with host moon using ikelifetime=10s, but does not close the old IKE_SA before the replacement CHILD_SA is in place. A constant ping from carol to client alice hiding in the subnet behind moon tests if the CHILD_SA works during the whole procedure.
Because the responder is always able to install CHILD_SAs before the initiator is, some traffic sent by the responder over such a CHILD_SA might get dropped by the initiator (until it also installed the CHILD_SA). This is particularly problematic if OCSP/CRL checks are delayed or if they can also be done via the IPsec tunnel once it's established. Therefore, online OCSP/CRL checks are suspended during the reauthentication and done afterwards. This is verified here by revoking the responder's certificate after the SA got initially established.