The roadwarriors carol and dave set up a connection to gateway moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 digital signature accompanied by an X.509 certificate.
Next the clients use the GSM Subscriber Identity Module (EAP-SIM) method of the Extensible Authentication Protocol to authenticate themselves. In this scenario triplets from the file /etc/ipsec.d/triplets.dat are used instead of a physical SIM card. The gateway forwards all EAP messages to the RADIUS server alice which also uses static triplets. The roadwarrior dave sends wrong EAP-SIM triplets. As a consequence the RADIUS server alice returns an Access-Reject message and the gateway moon sends back EAP_FAILURE.