Version 4.1.5¶

• If a DNS lookup failure occurs when resolving right=%<FQDN>
  or right=<FQDN> combined with rightallowany=yes then the
  connection is not updated by ipsec starter thus preventing
  the disruption of an active IPsec connection. Only if the DNS
  lookup successfully returns with a changed IP address the
  corresponding connection definition is updated.

• Routes installed by the keying daemons are now in a separate
  routing table with the ID 100 to avoid conflicts with the main
  table. Route lookup for IKEv2 traffic is done in userspace to ignore
  routes installed for IPsec, as IKE traffic shouldn't get encapsulated.