IPsec:隧道10.0.0.1到203.0.113.5的SA已过期,重新密钥失败
IPsec: SA expired for tunnel 10.0.0.1 to 203.0.113.5, rekeying failed
ID: networking/ipsec-sa-expired
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| strongSwan 5.9.10 | active | — | — | — |
| Libreswan 4.12 | active | — | — | — |
| Cisco ASA 9.18(2) | active | — | — | — |
| Linux kernel 6.1.0-17-amd64 | active | — | — | — |
根因分析
两个对等体之间的IPsec安全关联(SA)已过期,自动重新密钥过程失败,通常是由于生命周期设置不匹配、防火墙阻止IKE流量或对等体宕机。
English
The IPsec Security Association (SA) between two peers has expired and the automatic rekeying process failed, often due to mismatched lifetime settings, firewall blocking IKE traffic, or a dead peer.
官方文档
https://docs.strongswan.org/docs/5.9/config/lifetime.html解决方案
-
Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
-
Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
无效尝试
常见但无效的做法:
-
70% 失败
This only delays the problem; rekeying still fails when it eventually occurs, and longer lifetimes can increase security risks.
-
80% 失败
If the other peer has stale SA state, the restart may cause a mismatch and the tunnel will not come up until both sides are restarted.
-
90% 失败
This breaks the tunnel permanently after the SA expires, requiring manual intervention each time, which is not scalable.