This scenario tests the strictcrlpolicy=ifuri option which enforces a strict CRL policy for a given CA if at least one OCSP or CRL URI is known for this CA at the time of the certificate trust path verification. On the gateway moon two different Intermediate CAs control the access to the hosts alice and venus. Access to alice is granted to users presenting a certificate issued by the Research CA whereas venus can only be reached with a certificate issued by the Sales CA.
The roadwarrior carol has a certificate from the Research CA which does not contain any URIs. Therefore a strict CRL policy is not enforced and the connection setup succeeds, although the certificate status is unknown.
The roadwarrrior dave has a certificate from the Sales CA which contains a single OCSP URI but which is not resolvable. Thus because of the known URI a strict CRL policy is enforced and the unknown certificate status causes the connection setup to fail.