By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. Client carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou. Gateway moon's certificate doesn't contain any such extensions but carol's swanctl.conf contains a corresponding authorities section. With the directive charon.plugins.revocation.enable_ocsp = no in strongswan.conf all OCSP fetching is disabled and a fallback to CRL fetching occurs.
carol can successfully initiate an IPsec connection to moon since the status of both certificates is good.