Comment 0 for bug 1755693

strongswan-starter and openswan both share the file /usr/sbin/ipsec however there is no Conflicts relationship

openswan was deprecated in utopic, so trusty installations may wish to migrate to strongswan ahead of a xenial upgrade. In that case, the package upgrade can fail.

This was previously fixed upstream in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740808

For apt operation ordering reasons I don't understand, the issue only appears when something else on the system (such as neutron-vpn-agent) depends on (strongswan | openswan). Just installing strongswan and replacing it with openswan or vica-versa doesn't cause the issue to trigger.

To reproduce the issue on a trusty machine:
add-apt-repository cloud-archive:mitaka # the trusty version of neutron-vpn-agent does not have the dependency on openswan | strongswan
apt update
apt install neutron-vpn-agent openswan # you can answer no to X509 generation
apt install strongswan

The Conflicts already exists in xenial through bionic, just not in trusty. So the upload would only be required in trusty.