By setting <b>revocation = strict</b> a <b>strict CRL policy</b> is enforced on
both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
the connection and only an expired CRL cache file in <b>/etc/swanctl/x509crl</b> is
available, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
successfully started and the IKE authentication completes. The new CRL is again
cached locally as a file in <b>/etc/swanctl/x509crl</b> due to the <b>cache_crls = yes</b>
option in <b>/etc/strongswan.conf</b>.