What were you trying to do that didn't work?

A simple scenario:

• 2 network namespaces: left and right.
• 2 connections on each side, one in and one out, sharing IKE SA.
• On both sides out is started with ipsec start and in is added with ipsec add.
• IPv6, PSK.

In pluto log file we get:

Jan  3 10:57:38.130415: "tun-out-1" #1: suppressing retransmit because IKE SA was superseded #2; drop this negotiation
Jan  3 10:57:38.130491: EXPECTATION FAILED: "tun-out-1" #1: revival: skipping, .negotiating_ike_sa #2 is is not us (scheduled_revival() +230 programs/pluto/revival.c)
Jan  3 10:57:38.149281: "tun-out-1" #1: deleting IKE SA (sent IKE_SA_INIT request)

Reproducible with OVS system tests in about 50% of cases.

More details with logs and analysis are in the upstream issue:
https://github.com/libreswan/libreswan/issues/1989
No solution is available yet though.

What is the impact of this issue to you?

Sometimes connection somehow recovers and becomes active but in many cases it never becomes active, even though it is marked to stay UP.

Please provide the package NVR for which the bug is seen:

libreswan-5.1-1.el9_2.x86_64.rpm, but I'm assuming it's a very similar build to libreswan-5.1-2.el10. I can also reproduce with latest upstream.

How reproducible is this bug?: 50%

Steps to reproduce

Get OVS sources and run:

make check-kernel TESTSUITEFLAGS='-k Libreswan -d'
grep EXPECTATION ./tests/system-kmod-testsuite.dir/*/*/pluto.log

Expected results

No failures in the log and all the tests pass.

Actual results

Expectation failures in the log and some tests fail.