pfSense

See the attached config.xml file. The ipsec phase 1 peers with ikeid's 2 and 3 are active. Each of them have 3 phase 2 associations configured. But strongswan isn't using all of them them. On the SPD tab of Status -> IPsec, only the first phase 2 entry shows up for each tunnel. And the output of '/usr/local/sbin/ipsec status' only lists the first entry (the one with the 169.254.x.y addresses) as well:

[2.2-ALPHA][admin@vpn-test-endpoint2.staff.pfmechanics.com]/root(8): ipsec status
Security Associations (2 up, 0 connecting):
con2-2⁷: ESTABLISHED 53 seconds ago, 192.207.126.12[192.207.126.12]...54.240.217.160[54.240.217.160]
con2-2{2}: INSTALLED, TUNNEL, ESP SPIs: c709827d_i f0ae3dac_o
con2-2{2}: 169.254.255.72/30|/0 === 169.254.255.72/30|/0
con2-2{2}: INSTALLED, TUNNEL, ESP SPIs: cbaffa4f_i 09a5af6c_o
con2-2{2}: 169.254.255.72/30|/0 === 169.254.255.72/30|/0
con3-3⁶: ESTABLISHED 2 minutes ago, 192.207.126.12[192.207.126.12]...54.240.217.166[54.240.217.166]
con3-3{3}: INSTALLED, TUNNEL, ESP SPIs: c7c616ba_i 5166be21_o
con3-3{3}: 169.254.255.76/30|/0 === 169.254.255.76/30|/0
con3-3{3}: INSTALLED, TUNNEL, ESP SPIs: c34deb9b_i 2033bb6b_o
con3-3{3}: 169.254.255.76/30|/0 === 169.254.255.76/30|/0

See the attached ipsec.conf file.

Each of the entries for a particular phase 1 peer (3 entries for each of them) is getting created with the same name/label in /var/etc/ipsec/ipsec.conf. E.g. conn2-2, conn3-3. When I manually changed this and restarted ipsec, things worked as expected. The attached patch works to get the entries generated with unique names.