CHR can upgrade to v7 but breaks connectivity

Have a CHR running as a virtual machine on a QEMU host. Was originally installed with v6 and has had no problem with periodic upgrades
I want to move it to v7 as I need to use VXLAN, I can upgrade fine but ether2 breaks…

There’s a WAN facing interface (ether1) which works fine, ether2 is connected to an internal network. When upgrading to v7 then I can’t send any traffic out that interface. Pings immediately return ‘packet rejected’ as the status. I can see internal network traffic with torch, but for whatever reason its just completely and utterly broken with any form of outgoing traffic

Any ideas?

Solved. I had legacy IPSec configuration that wasn’t in use, V6 correctly identifies that the policies don’t apply without an active connection and thus marks them as invalid
V7 appears to have different behavior and when upgrading it made those policies active - despite having no active IPSec peers
I tried disabling the policies in V7 and it didn’t work, possibly route cache issue

Either way, Rolled back to the v6 backup, deleted the policies ‘before’ upgrading and then it upgraded and worked fine