[strongSwan] HA plugin: stopping charon does not remove IKE_SA/CHILD_SA from other nodes

[Emeric POUPON]

Hello,

I have set a HA cluster using strongswan 5.2.2.

When charon is stopped on one of the nodes, DELETE are sent to the remote hosts:

Feb 27 15:14:34 00[DMN] signal of type SIGINT received. Shutting down
Feb 27 15:14:34 00[MGR] going to destroy IKE_SA manager and all managed IKE_SA's
Feb 27 15:14:34 00[MGR] set driveout flags for all stored IKE_SA's
Feb 27 15:14:34 00[MGR] wait for all threads to leave IKE_SA's
Feb 27 15:14:34 00[MGR] delete all IKE_SA's
Feb 27 15:14:34 00[IKE] <my_connection|1> queueing IKE_DELETE task
...
Feb 27 15:14:34 00[IKE] <my_connection|1> sending DELETE for IKE_SA my_connection[1]
...
Feb 27 15:14:34 00[IKE] <my_connection|1> IKE_SA my_connection[1] state change: DELETING => DESTROYING
Feb 27 15:14:34 00[KNL] <my_connection|1> deleting SAD entry with SPI c098e83c
...
Feb 27 15:14:34 00[KNL] <my_connection|1> deleted SAD entry with SPI c098e83c
Feb 27 15:14:34 00[KNL] <my_connection|1> deleting SAD entry with SPI cfa1a139
...

However, the other members of the cluster are not notified of this deletion. When charon is restarted, it gets the already destroyed connections back from the passive nodes, but they have been destroyed on the remote gateway. This leads to quite complicated situations to understand.

It sounds like a bug, what do you think?

Emeric