+++ This bug was initially created as a clone of Bug #1734058 +++
There are some (as of yet unknown) scenario's where pluto receives a kernel ACQUIRE for which it already detects it has a valid STATE object. Thus, it interprets these as a "duplicate acquire" and no action is taken. However, the state found does not belong to a valid IPsec SA, and so the tunnel is down and cannot be started because it is deemed up based on the "duplicate" check.
When this happens, packets are dropped for a lack of IPsec SA - or leaked in the clear, depending on whether this was a "private" or "private-or-clear" group state.
This issue was not selected to be included in Red Hat Enterprise Linux 7.9 because it is seen either as a low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; this issue is known to have been addressed in Red Hat Enterprise Linux 8.