pfSense

pfSense is our primary gateway running behind a telco provided MPLS network. In the event we lose a connection at one of our remote locations, we bring an IPSec VPN up on a backup Internet connection. Once the MPLS network is restored, we tear down the IPSec VPN tunnel. Leaving the SPD in place causes a headache with routing until SPD's are manually deleted. Is is possible to bump this bug up in priority? Thanks.

I have same problem with 2.0 and 2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.

This is with racoonctl show-event when a client connects

Phase 1 established : 80.xxx.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶
Phase 1 mode configuration done : 80.22.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶
Phase 1 mode configuration done : 80.22.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶
Phase 2 established : 80.xxx.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶

This is with racoonctl show-event when a client disconnects

Event 262: 80.xxx.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶
Phase 1 deleted : 80.xxx.xxx.xxx⁴⁵⁰⁰ -> 95.xxx.xxx.xxx³⁶⁷²⁶

setkey -D has steel the SA

80.xxx.xxx.xxx⁴⁵⁰⁰ 95.xxx.xxx.xxx⁵⁴⁷⁰⁶
esp-udp mode=any .........

80.xxx.xxx.xxx⁴⁵⁰⁰ 95.xxx.xxx.xxx⁵⁴⁷⁰⁶
esp-udp mode=any

I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :

function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}

when i try to logout the user with racoonctl like in function doen't flush SA

If i flush with setkey -F everything is working with next reconnection but only for one connection.