What were you trying to do that didn't work?

This is related to OCPBUGS-41551. See the ipsec.conf listed in the bug. The same config is repeated 399 times (we have 400 nodes). With libreswan-4.5 all works fine. After updating to 4.9 there are a couple regressions:

• ipsec auto --start --asynchronous sometimes blocks
• pluto sometimes hits assertion failure ("state already has outstanding crypto") and aborts

What is the impact of this issue to you?

Serious customer impact (see bug mentioned above). Nodes need to be restarted to keep working.

Please provide the package NVR for which the bug is seen:

libreswan-4.9-5.el9_2.2

How reproducible is this bug?:

Always

Steps to reproduce

1. git clone https://github.com/igsilya/ovs/tree/tmp-ipsec-reconcile-v4
2. cd ovs
3. ./boot.sh && ./cofigure && make -j$(nproc)
4. sudo make -j$(nproc) check-kernel TESTSUITEFLAGS='-k reconciliation -v -d'
5. Check tests/system-kmod-testsuite.dir/203/node-*/pluto.log

Expected results

No abort should be observed.

Actual results

There are matches of "state already has outstanding crypto" in the log.

Additional information

Update on Dec 17, 2024: We decided to not fix the first issue (timeout), but only address the second issue (race condition) in this issue. If need be, we will file a new issue for it.