# IPsec：隧道10.0.0.1到203.0.113.5的SA已过期，重新密钥失败

- **ID:** `networking/ipsec-sa-expired`
- **领域:** networking
- **类别:** protocol_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

两个对等体之间的IPsec安全关联（SA）已过期，自动重新密钥过程失败，通常是由于生命周期设置不匹配、防火墙阻止IKE流量或对等体宕机。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| strongSwan 5.9.10 | active | — | — |
| Libreswan 4.12 | active | — | — |
| Cisco ASA 9.18(2) | active | — | — |
| Linux kernel 6.1.0-17-amd64 | active | — | — |

## 解决方案

1. ```
   Check and synchronize lifetime settings on both peers: `ipsec statusall | grep lifetime` then adjust in ipsec.conf: `lifetime = 1h` and `rekeymargin = 3m`
   ```
2. ```
   Force rekey manually on the initiating peer: `ipsec rekey --tunnel <tunnel_name>`
   ```

## 无效尝试

- **** — This only delays the problem; rekeying still fails when it eventually occurs, and longer lifetimes can increase security risks. (70% 失败率)
- **** — If the other peer has stale SA state, the restart may cause a mismatch and the tunnel will not come up until both sides are restarted. (80% 失败率)
- **** — This breaks the tunnel permanently after the SA expires, requiring manual intervention each time, which is not scalable. (90% 失败率)