I'm being told the new client should support customized IPsec policy's. As far as I could see that's not implemented so far.
As long as this is not possible connection will still be terminated after 4 hour's if user does not re-authenticate with OTP because there is no way the change Rekey time for IKE. Would that be possible in the near future?