Actually it's not a bug, it's expected and it's how pkg is designed to work.
When we moved to 2.3.2_1 we cherry-picked some package upgrades from FreeBSD ports tree since these upgrades fixes some vulnerabilities listed by 'pkg audit'. Following ports were updated:
php56
perl5
libxml2
libidn
curl
Due to these updates, when poudriere starts to build our ports set, it deletes all packages that depends of above listed packages and rebuild them. At this time, strongswan was rebuilt as many other ports, and a new package with same version was created.
This new package was included in 2.3.2-p1, so when you install it directly you will see the new package, and checksum differs.
During upgrade, since any shared library version has bumped, pkg understands packages like strongswan don't need to be reinstalled, because libraries it depends didn't have any ABI changes. Then you end up with the version built for 2.3.2.
If you compare the built date for strongswan package on both systems you will see this:
- 2.3.2
[2.3.2-RELEASE][admin@pf232.home]/root: pkg info strongswan
strongswan-5.5.0
Name : strongswan
Version : 5.5.0
Installed on : Wed Jul 20 15:39:17 2016 UTC
Origin : security/strongswan
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : strongswan@nanoteq.com
WWW : http://www.strongswan.org
Comment : Open Source IKEv2 IPsec-based VPN solution
- 2.3.2-p1
[2.3.2-RELEASE][admin@pfs232-1.home]/root: pkg info strongswan
strongswan-5.5.0
Name : strongswan
Version : 5.5.0
Installed on : Mon Oct 17 23:14:33 2016 UTC
Origin : security/strongswan
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : security
Licenses : GPLv2
Maintainer : strongswan@nanoteq.com
WWW : http://www.strongswan.org
Comment : Open Source IKEv2 IPsec-based VPN solution