The roadwarriors carol and dave set up a connection to gateway moon. At the outset the gateway does not send an AUTH payload thus signalling a mutual EAP-only authentication.
Next the clients use the GSM Subscriber Identity Module (EAP-SIM) method of the Extensible Authentication Protocol to authenticate themselves. In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used instead of a physical SIM card. The gateway forwards all EAP messages to the RADIUS server alice which also uses static triplets. The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence the RADIUS server alice returns an Access-Reject message and the gateway moon sends back EAP_FAILURE.