Comment 7 for bug 1773956

We only fixed this "by source" as Josh found in comment #1, but I really wanted to see what is going on. So I worked a bit on a repro (which I'd need for an SRU anyway), which is:

0. on a virtual Guest or so
1. Install strongswan (which pulls in libcharon-extra-plugins).
Then edit /etc/strongswan.d/charon/ha.conf to something like:
ha {
    load = yes
    local = 192.168.122.248
    monitor = yes
    remote = 192.168.122.94
    resync = yes
    segment_count = 2
}
With your IP and a peer IP (both KVM guests for me)

sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2 --local-node 1

As initially reported the deny is on a subtree to the PID now:
AVC apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/11063/net/ipt_CLUSTERIP/" pid=11063 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[LIB] opening directory '/proc/net/ipt_CLUSTERIP' failed: Permission denied

So some weird path remapping takes place and we need the PID path as well (as suggested).

Tested and working - While fixing that I'll spawn also a bug to re-sync both charon profiles (two ways to start it).

Settign this bug to open again.