Invalid configuration: dpd_action = start accepted but not supported by strongSwan

[cotosso]

Problem description:
In the IPsec tunnel configuration file, when dpd_action is enabled, the dpd_action field is set to set to start, like in the example below:

children {
  ns_8b4cbf36_tunnel_1 {
    local_ts = 172.25.0.0/24
    remote_ts = 192.168.1.0/24
    if_id_in = 3
    if_id_out = 3
    start_action = start
    esp_proposals = aes256-sha256-modp2048
    mode = tunnel
    life_time = 66m
    rekey_time = 3600
    dpd_action = start
  }
}

However, according to the official strongSwan swanctl.conf documentation, dpd_action only supports the values:

• clear
• trap
• restart

The value start is not listed and is therefore invalid. This may cause unexpected behavior or mislead users configuring the tunnel.

Steps to reproduce

• configure an ipsec tunnel
• enable DPD

Expected behavior

In the ipsec configuration /var/swanctl/swanctl.conf for each tunnel there will be a line like this:

dpd_action = restart

Actual behavior

In the ipsec configuration /var/swanctl/swanctl.conf for each tunnel there will be a line like this:

dpd_action = start

Suggested fix
Update the configuration logic to use a valid dpd_action, such as restart, instead of start.

[cotosso]

It may be less simple than expected.
I tried to fix it this way in a test machine:

root@nsec8-vm:~# diff -u swanctl /etc/init.d/swanctl 
--- swanctl    2025-07-08 12:20:01.083401939 +0200
+++ /etc/init.d/swanctl    2025-07-08 12:20:24.923450986 +0200
@@ -314,7 +314,7 @@
     hold)
         dpdaction="trap" ;;
     restart)
-        dpdaction="start" ;;
+        dpdaction="restart" ;;
     trap|start)
         # already using new syntax
         ;;

the file is correctly generated, but when I applied the new configuration from the UI the tunnel were duplicated, new tunnel were installed but the old ones weren't removed, something like that

root@firewall:~# swanctl -l| less
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
ns_c935915d: #2, ESTABLISHED, IKEv1, 743acb9f28e52442_i* f6b211a15f2fe4e8_r
  local  '88.88.88.88' @ 88.88.88.88[500]
  remote '99.99.99.99' @ 99.99.99.99[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 12544s ago, rekeying in 68749s
  ns_1a331034_tunnel_1: #15, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 242s ago, rekeying in 79045s, expires in 94798s
    in  c53cd7d9 (-|0x00000001),      0 bytes,     0 packets
    out f1833e9f (-|0x00000001),      0 bytes,     0 packets
    local  10.10.10.0/24
    remote 10.20.20.0/24
  ns_7f9f9f9b_tunnel_1: #16, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 185s ago, rekeying in 78534s, expires in 94855s
    in  c647db6f (-|0x00000001),      0 bytes,     0 packets
    out 968ee78f (-|0x00000001),      0 bytes,     0 packets
    local  10.10.10.0/24
    remote 10.20.20.0/24

[Tbaile]

We provide the correct configuration in the tunnel on creation:

...
ipsec.ns_552547bc_tunnel_1=tunnel
ipsec.ns_552547bc_tunnel_1.ipcomp='false'
ipsec.ns_552547bc_tunnel_1.dpdaction='restart'
...

Issue seems to resides in the component upstream: https://github.com/openwrt/packages/blob/6d4685af46c6b6719a70fbab6bfe9bfcc1b44600/net/strongswan/files/swanctl.init#L316-L317