strongswan can start twice in some cases, leading to non-functional IPsec
If vpn_ipsec_configure is called twice at almost exactly the same time, 'ipsec start' will run twice and it will start twice. Normally that's not possible because it checks for the PID, but if it's close enough together two instances can start. You end up with logs like:
Apr 13 19:32:38 charon 07[KNL] error sending to PF_KEY socket: No buffer space available no socket implementation registered, sending failed
This has always been possible in theory, but something in 2.3/strongswan 5.4.0 makes it happen where it doesn't appear to have ever happened previously.
Putting a lock around vpn_ipsec_configure confirmed to fix, commit coming momentarily.