changes in IPsec config should down the connection
The fact that strongswan doesn't take down an established connection after changing the config has lead to a number of support issues and user complaints. racoon would drop any existing connections upon changing of that connection's config. Many support cases and forum threads of changes not being applied have this as the root cause. Usually either where a config mismatch was created, but not realized until hours later when the existing expires, or after having added or removed networks with IKEv2 which don't work until manually disconnecting the connection on the status page.
Just doing an 'ipsec down conX' for the connection when the config is changed will address.
#2 Updated by Lars Pedersen about 4 years ago
As a sidenote: When using IPsec mobile clients with PSK keys it would be preferred not to take the entire IPsec service down when adding a new PSK key. Currently the ipsec service does nothing when adding new keys and we have to execute "ipsec rereadsecrets". So a solution where adding PSK keys and afterwards call "ipsec rereadsecrets" would be nice instead of all connected mobile clients are kicked out every time a new user is added.