StrongSwan can use PAM for handling updown events. Just like xauth_pam, updown_pam can use session open/close events to handle ups & downs of ipsec tunnels.
Whole system can be then configured in one /etc/pam.d/ipsec file using (standard or custom) PAM modules.
I'm considering writing it myself, just to have all-in-one bundle in one PAM module.
#2 Updated by Michal Zubac about 8 years ago
I mean, StrongSwan could make direct calls to PAM (which then comes to PAM module's session_open/close functions), so you skip the overhead of running shell interpreter, which starts some other program(s). Then you could have authentication code & session handling code in one place, in PAM module.
And you could mimic current updown behaviour by using updown_pam + pam-script.