By setting <b>revocation = strict</b> in swanctl.conf, a <b>strict</b> CRL policy
is enforced on both roadwarrior <b>carol</b> and gateway <b>moon</b>.
<p/>
Based on RFC 4806, <b>carol</b> sends an OCSP request via an IKEv2 CERTREQ payload to
gateway <b>moon</b> which in turn requests online status information on its own
certificate from the OCSP server <b>winnetou</b> on behalf of <b>carol</b>.
The OCSP server <b>winnetou</b> possesses an OCSP signer certificate containing an
<b>OCSPSigning</b> Extended Key Usage (EKU) flag issued by the strongSwan CA.
<p/>
Even though <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority
information access extension pointing to <b>winnetou</b>, gateway <b>moon</b> still
needs a special authorities section in swanctl.conf in order to be able to request
an OCSP response for its own certificate since that is lacking an <b>OCSP URI</b>.
<p/>
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
the status of both certificates is <b>good</b>.
