Hi Makarand, > Any opinions on how to avoid the multiple CHILD_SAs after reauth? Don't use reauth (use rekeying) or use make-before-break reauth, see [1] for details (where this issue with trap policies is also mentioned). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKE