[strongSwan] per-connection plugins ?

[Justin Pryzby]

Is it possible to enable plugins selectively by connection ?  The ones I'm
interested in are cisco unity and libipsec.

The reason libipsec is (potentially) interesting is that it creates tun device.
If it were possible to force creation of separate tun devices for each
connection (at least each connection with a modecfg virtual IP), then I could
use a static MASQUERADE rule on that interface rather than a SNAT rule
dynamicaly added when the connection comes up, and lost if the firewall
(shorewall) is restarted, bringing down the connection until the connection is
also restarted..