This is tracking the upstream effort needed to deliver the solution to the bug described below.

Problem Description:

Issue is descirbed in https://github.com/openvswitch/ovs-issues/issues/374

Impact Assessment: 

Under specific conditions it might happen that one side of the connection ends up with IKE SA without corresponding Child SA. Such situation can be fixed by reconciliation but it will not happen because the current check for activated connections is checking any SA instead of Child SA and hence it will be satisfied by having IKE SA created.

Fortunately, this problem can be easily mitigated since it is easy to distinguish between IKE SA and Child SA in the output that is used in the check.

Software Versions: 

All current versions of openvswitch

Issue Type:

New issue.

Reproducibility: 

It can be reproduced reliably.

Reproduction Steps:

Delete Child SA and keep IKE SA.

Expected Behavior:

Once Child SA is missing reconciliation should happen regardless of having IKE SA still active.

Observed Behavior:

Having any SA (either IKE SA or Child SA) is consideres as having active ipsec connection.

Troubleshooting Actions: 

N/A

Additional Information:

This is relevant for RHEL-9 as well.