I have determined another workaround for this bug, which is to use wireguard instead of IPsec/IKEv2 for the tunnel to the Android phone.
I know this is not a particularly satisfying suggestion, but I hope it narrows down the range of places where a bug could be hiding. To recap, the crashing configuration was: 1. OpenBSD host connected to the Internet via a NATted WiFi connection through a domestic cable company router. 2. Unencrypted L2TP/PPP tunnel over this connection to a service that gives the host a static IP. (No IPsec yet.) 3. Always-on IPsec/IKEv2 tunnel #1 to another OpenBSD host somewhere, through the L2TP tunnel. 4. Intermittently-on IPsec/IKEv2 tunnel #2 to an Android phone, which uses the tunnel for retrieving email via imaps. The configuration that does not crash replaces step 4 with: 4. Intermittently-on wireguard tunnel to an Android phone, which uses the tunnel for retrieving email via imaps. The new configuration has been dependable enough for me to add another wireguard tunnel for a second email-checking device. No problem. Cheers, --T
