networking
protocol_error
ai_generated
partial
IPsec: SA expired for tunnel 10.0.0.1 to 203.0.113.5, rekeying failed
ID: networking/ipsec-sa-expired
80%Fix Rate
86%Confidence
1Evidence
2024-05-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| strongSwan 5.9.10 | active | — | — | — |
| Libreswan 4.12 | active | — | — | — |
| Cisco ASA 9.18(2) | active | — | — | — |
| Linux kernel 6.1.0-17-amd64 | active | — | — | — |
Root Cause
The IPsec Security Association (SA) between two peers has expired and the automatic rekeying process failed, often due to mismatched lifetime settings, firewall blocking IKE traffic, or a dead peer.
generic中文
两个对等体之间的IPsec安全关联(SA)已过期,自动重新密钥过程失败,通常是由于生命周期设置不匹配、防火墙阻止IKE流量或对等体宕机。
Official Documentation
https://docs.strongswan.org/docs/5.9/config/lifetime.htmlWorkarounds
-
85% success Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
-
90% success Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
中文步骤
Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
Dead Ends
Common approaches that don't work:
-
70% fail
This only delays the problem; rekeying still fails when it eventually occurs, and longer lifetimes can increase security risks.
-
80% fail
If the other peer has stale SA state, the restart may cause a mismatch and the tunnel will not come up until both sides are restarted.
-
90% fail
This breaks the tunnel permanently after the SA expires, requiring manual intervention each time, which is not scalable.