The roadwarrior carol and the gateway moon use the openssl plugin based on the OpenSSL library for all cryptographical and X.509 certificate functions whereas roadwarrior dave uses the default strongSwan cryptographical plugins aes sha1 sha2 hmac gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.
The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. carol proposes the DH groups ECP_256 and ECP_384 whereas dave proposes ECP_256 and ECP_521. Since moon does not support ECP_256 the roadwarriors fall back to ECP_384 and ECP_521, respectively.
Upon the successful establishment of the IPsec tunnels, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both carol and dave ping the client alice behind the gateway moon.