Description of problem:

The purpose of the test case(IPsec.Conf.2.1.7. Discard Policy) is to "Verify that a NUT (End-Node) can utilize discard policy" (from the specification https://www.ipv6ready.org/docs/IPsec_IKEv2_Conformance.pdf), so this is required behavior.

To test this, we create two connections with different traffic selectors. One connection should encrypt with ESP and the other connection should drop all traffic. The configuration file is attached.

It is easy to use 'ip xfrm' to configure discard policies, for example:
ip xfrm policy add dir out src $local_ipv6 dst $peer_ipv6 action block
ip xfrm policy add dir in src $peer_ipv6 dst $local_ipv6 action block

But we cannot properly configure the DISCARD connection using ipsec.conf

We tried many different values for the "auto", "type", and "failureshunt" parameters as well as configuring the implicit connection "block" described at the bottom of the man page for ipsec.conf. At the very least, we could not find the solution from the man pages.

Version-Release number of selected component (if applicable):
libreswan-4.6-3.el9

How reproducible:
100%

Steps to Reproduce:
Please refer to IPsec.Conf.2.1.7. Discard Policy at https://www.ipv6ready.org/docs/IPsec_IKEv2_Conformance.pdf for full test procedure.

Actual results:

Expected results:

Additional info: