If we have remote peers behind NAT, they never reconnect when received action for close a CHILD_SA.
It happens if we configure HQ and before restart strongswan generates action for close CHILD_SA.
From strongswan docs
closeaction = none | clear | hold | restart
defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see dpdaction for
meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking,
as these events might trigger the defined action when not desired. Prior to 5.1.0, closeaction was
not supported for IKEv1 connections.
vyos@PEER3# set vpn ipsec ike-group TAG close-action Possible completions: none Set action to none (default) hold Set action to hold clear Set action to clear restart Set action to restart