By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
the connection and no current CRL is available, the Main Mode negotiation fails
and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
When the second Main Mode trial comes around the fetched CRL will be available
but because the certificate presented by carol has been revoked,
the IKE negotatiation will fail.