The VPN gateway moon controls the access to the hosts alice and venus by means of two different Intermediate CAs. Access to alice is granted to users presenting a certificate issued by the Research CA whereas venus can only be reached with a certificate issued by the Sales CA. The roadwarriors carol and dave have certificates from the Research CA and Sales CA, respectively. Therefore carol can access alice and dave can reach venus.
The gateway moon doesn't have the intermediate CA certificate installed and instead of sending the actual certificates, the two clients send "Hash and URL" certificate payloads. The gateway fetches the certificates via HTTP from server winnetou.