I have updated to V1.2.0-rolling+201804200337. After that the configuration node 'service dns forwarding' has disappeared from the config tree.
I reconfigured this and the 'listen on'-part is ok now. Thanks for fixing this one Christian.

I just tried. The config tree looks like before:

This Tasks seems to be resolved since kernel 4.14, as the xen netfront bug in kernel is fixed in this version (https://patchwork.kernel.org/patch/9338979/).
I tested with latest nightly on AWS. No packetloss anymore with AES!

I also tried without edit mode like this with same result:

I just tested on VyOS 999.201802080337 with same result:

that's exactly how i tested before. All other vpn config was done before and is running fine (commit and saved). As soon as i change (set or delete) something at 'vpn ipsec logging log-level' oder vpn ipsec logging log-modes' I get this message:

yes that's the version I tested on

thanks @c-po.
I don't know what other information could be relevant. It's an instance on AWS. Nothing special before. The log-modes are set after the error messages. I can say that. Look at this here:

Thanks Brandon for your findings. IPSec with dynamic peer is no problem in VyOS. We use some of that with x.509 auth. Only VTI with dynamic peer is not allowed by VyOS. Do you know more about VTI and dynamic peer with strongswan on other linux installations (not VyOS)? Is it possible there?

VyOS doesn't allow this configuration variant. You get an appropriate message if you try. In EdgeOS it's the same. I don't know if it's possible in Strongswan V5.3.5.

no problem:

Hi Jules

is your fix already in 'vyos-999.201707272138-amd64.iso'? I get in this version:

I can support this idea. It's quite usual on other routers or firewalls to have global objects, you define once and use it in firewall, nat, policy routing...