This scenario tests <b>make-before-break reauthentication</b> using overlapping
IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
whole procedure.
<p/>
Because the responder is always able to install CHILD_SAs before the initiator
is, some traffic sent by the responder over such a CHILD_SA might get dropped by
the initiator (until it also installed the CHILD_SA).  This is particularly
problematic if OCSP/CRL checks are delayed or if they can also be done via the
IPsec tunnel once it's established.  Therefore, online OCSP/CRL checks are
suspended during the reauthentication and done afterwards. This is verified here
by revoking the responder's certificate after the SA got initially established.