The peer carol and moon both have dynamic IP addresses, so that the remote end is defined symbolically by right=%<hostname>. The ipsec starter resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option rightallowany=yes will allow an IKE main mode rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.
In this scenario moon first initiates a tunnel to carol. After some time the responder carol disconnects (simulated by iptables blocking IKE and ESP traffic). moon detects via Dead Peer Detection (DPD) that the connection is down and tries to reconnect. After a few seconds the firewall is opened again and the connection is reestablished.