This scenario tests <b>repeated authentication</b> according to RFC 4478.
The initiator <b>carol</b> sets a short <b>reauth_time=20s</b> but the responder
<b>moon</b> defining a much larger <b>reauth_time=60m</b> proposes this
value via an AUTH_LIFETIME notification to the initiator as it can't initiate
the reauthentication itself due to the virtual IP address. The initiator
ignores this notification and schedules the IKE reauthentication at its
configured time. A ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA has been
recreated under the new IKE_SA.