[strongSwan] how to watch farp at work?

[Harald Dunkel]

Hi folks,

Is there a config option for strongswan to watch farp at
work? I had the impression that sometimes it forgets
a client.

Long story:

Consider a road warrior setup. The IPsec gateway to the
company network has a direct connection to the internet
via IPv4 and IPv6. No NAT. It runs strongswan 5.5.3 on
Debian 8. dhcp and farp are in place.

The IPsec peer (MacOS) runs in a natted network, provided
by an OpenBSD gateway/firewall.

Sometimes, when the Mac wakes up from hibernate, it seems
to have lost its IPsec connection, even though the GUI
says "connected". Both involved gateways still have a
valid IKE SA, child SA and NAT table entry.

A ping from the Mac to (lets say) our internal DNS server
comes through, but tcpdump on the DNS server shows it
doesn't send an echo reply back. IMU this means that the
host couldn't match the echo reply's destination IP address
to the mac address of the IPsec gateway. farp is bad, is
it?

Unfortunately the Mac gave up and created a new IPsec
connection, so I couldn't examine the arp table or watch
the arp traffic on the DNS host.

The problem is hard to reproduce. And usually there are 20+
road warriors online in parallel.

Obviously I am not finished with examining the problem,
but every helpful advice is highly appreciated.

Harri