ovs-monitor-ipsec service doesn't have permissions to create /etc/ipsec.secrets or read content of /etc/ipsec.d/.  That makes it not possible to run opsenvswitch-ipsec systemd service with selinux in enforcing mode.

At least the following extra permissions are required:

allow openvswitch_t etc_t:dir add_name;
allow openvswitch_t etc_t:file { create write };
allow openvswitch_t ipsec_key_file_t:dir { getattr open read };

First two are required to be able to create and update /etc/ipsec.secrets.  The last one is required to be able to read files included from /etc/ipsec.conf or created in /etc/ipsec.d/.