A VPN descendo e caindo parece ser um problema (freqüente) de negociação de timeout.
Eu aconselho mudar o timeout do dpd nos equipamentos de ambos os lados da VPN para 30 segundos. Ambos têm que ter o mesmo valor.
No lado do Linux, é suficiente definir
dpdtimeout=30s
Em algumas situações, ao lidar com hardware de terceiros, da minha experiência, parece ser mais bem-sucedido escolher menores tempos limite de peer inoperante.
De Compreendendo a detecção de pares mortos
Dead peer detection (DPD) is a method that network devices use to verify the current existence and availability of other peer devices.
A device performs DPD verification by sending encrypted IKE Phase 1 notification payloads (R-U-THERE messages) to a peer and waiting for DPD acknowledgements (R-U-THERE-ACK messages) from the peer. The device sends an R-U-THERE message only if it has not received any traffic from the peer during a specified DPD interval. If the device receives an R-U-THERE-ACK message from the peer during this interval, it considers the peer alive. If the device receives traffic on the tunnel from the peer, it resets its R-U-THERE message counter for that tunnel, thus starting a new interval. If the device does not receive an R-U-THERE-ACK message during the interval, it considers the peer dead.