Hi Sven, You explicitly disabled handling of INITIAL_CONTACT notifies with uniqueids=never. So existing IKE_SAs with the same client identity will not be terminated when a new IKE_SA is created, which also means the existing virtual IP is not released. Since the same virtual IP can't be assigned to multiple clients, a new virtual IP is allocated instead.
Also, reducing the DPD timeout on servers with mobile clients is not that good an idea as it prevents clients from roaming between networks (or being without connectivity for a while due to other reasons) and updating the exiting IKE_SA via MOBIKE afterwards. Regards, Tobias
