Comment 0 for bug 1687711

strongSwan is effectively incompatible with iOS 10+ and macOS 10.11+ devices. Dead peer detection does not work for these devices and they continually re-establish security associations (SAs) as a result. Please see the issue's described in further detail below:

strongSwan confirmed the issue and patched it in 5.5+:
https://wiki.strongswan.org/issues/2126

strongSwan recommends a workaround that breaks other functionality:
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10

Ubuntu users are running into this bug in normal usage:
https://github.com/trailofbits/algo/issues/430

In order to test this issue:
1. Deploy an Ubuntu 16.04 server with strongSwan via Algo (https://github.com/trailofbits/algo)
2. Connect an iOS client
3. Wait a few minutes for the reconnects to start based on broken dead peer detection

In order to test the fix for this issue:
1. Deploy an Ubuntu 17.04 server with strongSwan via Algo
2. Connect an iOS client
3. Wait the same time period as before and notice that the connection does not drop

Ubuntu 17.04 has packaged strongSwan 5.5.1 which fixes this issue. I would recommend backporting strongSwan 5.5.1 to Ubuntu 16.04.