By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates the connection and no current revocation information is available, the Main Mode negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>. When the second Main Mode trial comes around, the OCSP response will be available and the IKE negotiation completes.