This is the code from /etc/inc/vpn.inc that runs 'ipsec start'.
/* manage process */
if ($restart === true) {
mwexec("/usr/local/sbin/ipsec restart", false);
} else {
if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) {
/* Update configuration changes */
/* Read secrets */
mwexec("/usr/local/sbin/ipsec rereadall", false);
mwexec("/usr/local/sbin/ipsec reload", false);
} else {
mwexec("/usr/local/sbin/ipsec start", false);
}
}
If you try to start it while it's already running, it sees the PID file and just exits.
# ipsec start
Starting strongSwan 5.4.0 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
So I'm not sure how it could end up running twice. Maybe if you run 'ipsec start' twice really close to the same time, so both run before the first gets the PID in place.
I'd turn those lines above into something like this:
$ts = microtime(true);
log_error("DEBUG: vpn_ipsec_configure manage process. $ts");
/* manage process */
if ($restart === true) {
mwexec("/usr/local/sbin/ipsec restart", false);
log_error("DEBUG: $ts - ipsec reload");
} else {
if (isvalidpid("{$g['varrun_path']}/starter.charon.pid")) {
/* Update configuration changes */
/* Read secrets */
log_error("DEBUG: $ts - rereadall and reload");
mwexec("/usr/local/sbin/ipsec rereadall", false);
mwexec("/usr/local/sbin/ipsec reload", false);
} else {
log_error("DEBUG: $ts - ipsec start");
mwexec("/usr/local/sbin/ipsec start", false);
}
}
and replicate, then look at the log to see what's happening ("clog /var/log/system.log|grep DEBUG" in SSH).