[strongSwan] Problem with active-active cluster and traffic handling

[Jean-Daniel Dupas]

Hello,

I'm trying to setup an active-active HA cluster. Actually, I'm close to have a full working setup, but I have a blocking issue.

I have installed a custom kernel (4.15.x family), and setup the CLUSTERIP as described in the HA guide ( https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability )

Both my nodes receive the traffic, and they properly managed the cluster IP to handle only half of the packets. 
When I'm establishing a session, only one node handle it (as expected), and the other one setup a passive IKE_SA.

My problem is that once the session is up, sometimes, this is the passive node (for that session) that takes over the IPSec traffic and the active node completely ignore it.
If I sniff the incoming traffic (tcpdump), the decrypted traffic is only detected on the node that setup a passive IKE_SA, and not on the node with the active IKE_SA.

To make it clear, telling I have 2 servers: Alice and Moon. The IKE session is established on moon, and a passive session is created on Alice, but then the decrypted traffic only show up on Alice.
As Alice is a passive node and don't have iptables entry and routes created to handle that traffic, it rejects it (as expected).

Does anyone know what can cause that inconsistency ? 

My iptable rules look like this:

-A INPUT -i enp1s1 -d 1.2.3.4 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 0

I don't think this is relevant, but I'm using strongswan systemd 5.6.2 (swanctl) on Ubuntu 18.04.

Thanks