Cannot install or upgrade to new versions of Cilium with ipsec enabled

[joestringer]

Recent releases of Cilium have included a warning message at the top of the release notes to recommend not to upgrade if users are using ipsec:

Example from v1.13.4 release notes:

Do NOT upgrade to this release if you are using IPsec.

Example v1.13.4 Upgrade documentation:
https://docs.cilium.io/en/v1.13/operations/upgrade/#id2

These recommendations are made due to known bugs in the ipsec implementation which can cause connection disruption with the combination of particular Cilium versions and ipsec feature enablement.

We can use this meta issue to track known issues and dev/testing efforts to resolve.

[pchaigno]

Versions that are known to have bugs are v1.12.8+, v1.11.15+, v1.13.1+, and v1.14.0+. Those bugs typically manifest as packet drops (sometimes entirely preventing two nodes from communicating) with various XFRM counters increasing.

[joestringer]

I believe these are now addressed in v1.11.20, v1.12.13, v1.13.6 and v1.14.1. Is that accurate?

[pchaigno]

No, unfortunately we still have issues around key rotation (the fix didn't make it into those releases) and for some upgrades when tunneling is enabled.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[julianwiedmann]

No, unfortunately we still have issues around key rotation (the fix didn't make it into those releases)

For those keeping score at home, I believe this is handled by #28258 and #28485 in the latest patch releases.