Sometimes a VPN tunnel may die without detection, for example if one of the two peers crashes and reboots. If you add NAT and NAT-T into this picture, it becomes even more complex. If some IPsec tunnel has very low traffic, a NAT device in the middle might decide this connection has gone away, and drop its translation entry for it. Now both peers think the IPsec connection is up, but when one of them tries to send a packet, it finds the VPN has silently vanished.
With unencrypted connections, such connections would simply fail on their first packet, since the remote host would send an ICMP message about the (for the remote end) unknown connection.
With IPsec this becomes harder, as the peer that didn't get rebooted cannot just trust any unencrypted ICMP message from the other end.
With the uniqueid=yes
option set, which is the default for Openswan, the rebooted end can establish a new tunnel, and since all tunnels are considered unique, the stable end of this connection...