Ah, looking back over the logs, I think I see the issue.
You want to encrypt the actual node networks, not the SDN network.
# echo 192.168.2.0/24 >> /etc/ipsec.d/policies/private
# echo 192.168.2.1/32 >> /etc/ipsec.d/policies/clear
or whatever the node network config is.
I re-read the docs and realize that this wasn't clear, I should update them to make it so.
Does using those subnets change things?
I tried to config /etc/ipsec.d/policies/private and /etc/ipsec.d/policies/clear with the node network, and after restart ipsec, the whole network was broken like:
# oc get node
Unable to connect to the server: dial tcp 10.8.174.54:8443: i/o timeout
Attach the nodes' network information.
Created attachment 1270373 [details]
nodes network info