# IPsec: SA expired for tunnel 10.0.0.1 to 203.0.113.5, rekeying failed

- **ID:** `networking/ipsec-sa-expired`
- **Domain:** networking
- **Category:** protocol_error
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The IPsec Security Association (SA) between two peers has expired and the automatic rekeying process failed, often due to mismatched lifetime settings, firewall blocking IKE traffic, or a dead peer.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| strongSwan 5.9.10 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Cisco ASA 9.18(2) | active | — | — |
| Linux kernel 6.1.0-17-amd64 | active | — | — |

## Workarounds

1. **Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`** (85% success)
   ```
   Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
   ```
2. **Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`** (90% success)
   ```
   Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
   ```

## Dead Ends

- **** — This only delays the problem; rekeying still fails when it eventually occurs, and longer lifetimes can increase security risks. (70% fail)
- **** — If the other peer has stale SA state, the restart may cause a mismatch and the tunnel will not come up until both sides are restarted. (80% fail)
- **** — This breaks the tunnel permanently after the SA expires, requiring manual intervention each time, which is not scalable. (90% fail)