The roadwarrior carol sets up a connection to gateway moon. At the outset the gateway authenticates itself to the client by sending an IKEv2 RSA signature accompanied by a certificate. carol then uses the Extensible Authentication Protocol in association with an MD5 challenge and response protocol (EAP-MD5) to authenticate against the gateway moon. In addition to her IKEv2 identity carol@strongswan.org, roadwarrior carol uses the EAP identity carol. The user password is kept in ipsec.secrets on the client carol and the gateway forwards all EAP messages to the RADIUS server alice.
Since RADIUS accounting is enabled in strongswan.conf, gateway moon sends user name, connection time and data volume information to the RADIUS server alice.