pfSense

I was trying the latest pfsense build (2.5.0.a.20200603.1253) when I ran across a snag with IPsec. If you set an IPsec phase 1 "Child SA Close Action" to "Close connection and reconnect on demand", the generated swanctl.conf file has "close_action = hold" instead of "close_action = trap", which prevents strongswan from loading the connection. If I change it to something else like no action, it works. I believe this is related to todo # 9603 (Strongswan stroke is deprecated, move to swanctl/vici).

Here's the logs and relevent section of /var/etc/ipsec/swanctl.conf:

Jun 4 01:11:15    charon    79811    12[NET] <1> received packet: from x.x.x.x[500] to y.y.y.y[500] (232 bytes)
Jun 4 01:11:15    charon    79811    12[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 4 01:11:15    charon    79811    12[CFG] <1> looking for an IKEv2 config for y.y.y.y...x.x.x.x
Jun 4 01:11:15    charon    79811    12[IKE] <1> no IKE config found for y.y.y.y...x.x.x.x, sending NO_PROPOSAL_CHOSEN
Jun 4 01:11:15    charon    79811    12[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 4 01:11:15    charon    79811    12[NET] <1> sending packet: from y.y.y.y[500] to x.x.x.x[500] (36 bytes)
Jun 4 01:11:15    charon    79811    12[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => DESTROYING

children {
            con2000 {
                close_action = hold
                dpd_action = restart
                mode = tunnel
                policies = yes
                life_time = 10800
                start_action = trap
                remote_ts = 192.168.1.0/24
                local_ts = 192.168.2.0/24
                esp_proposals = aes128gcm128-curve25519
            }
        }