Relations between ike/child/peer_cfg
The relations between child_cfg/peer_cfg are too strict:
Reloading configurations through ipsec reload deletes child_cfg attached to peer_cfgs, even if in use by an IKE_SA. This prevents a CHILD_SA from rekeying, as no child_cfg is available anymore for the peer_cfg refcounted by the IKE_SA. We either have to store a reference for the child_cfg too, or even better look up the connections during rekeying globally.
A different issue concerns the relation between peer_cfg/ike_cfg:
The relation is not strict enough: As responder, it is currently not possible to enforce a ike_cfg for a peer_cfg selected later during authentication. Limiting peer_cfgs to the addresses specified in the associated ike_cfg is not possible, either.