The peers carol, dave, and moon all have dynamic IP addresses, so that the remote end is defined symbolically by right=%<hostname>. The ipsec starter resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the prefix '%' is used as an implicit alternative to the explicit rightallowany=yes option which will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.
In this scenario both carol and dave initiate a tunnel to moon which has a named connection definition for each peer. Although the IP addresses of both carol and dave are stale, thanks to the '%' prefix moon will accept the IKE negotiations from the actual IP addresses.