the force restart did not fix the issue. the one thing i am questioning most is that the certificate that these machines are using show a red-interface ip address different than what they are actually using. the machines were built in a test environment then put into production with their then-updated external ip addresses. do i need to generate new certs? if so, i have no idea what i'm supposed to use for PKCS12 file passwords (full disclosure, i am more of a software writer than a network person). below is the full (redacted) output from connection details after running the force restart:
Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.4.145.e2.1, x86_64):
uptime: 4 minutes, since Mar 11 12:35:35 2019
malloc: sbrk 2859008, mmap 0, used 539584, free 2319424
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrblock
Listening IP addresses:
RED
GREEN
Connections:
Name: LOCAL...REMOTE IKEv1/2, dpddelay=30s
Name: local: [LOCAL] uses pre-shared key authentication
Name: remote: [REMOTE] uses pre-shared key authentication
Name: child: 192.168.84.0/24 === 192.168.19.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
no match