[strongSwan] deleting IKE_SA: what's the reason?

Tobias Brunner tobias at strongswan.org
Wed Sep 12 10:39:59 CEST 2012

Hi Diego,

> deleting IKE_SA CONN_NAME[10] between
> x.x.x.x[vpn1.example.com]...x.x.x.x[vpn2.example.com]
> I wrote an script that controls the status of the tunnel using "ipsec
> status". For some reason, some conns are dropped randomly. I have DPD
> enabled but I don't see the message "giving up..." and I don't see the
> message "received stroke..." about the connection lost and I don't see
> the rekeying messages.
> Is there an aditional way to discover why Charon is deleting IKE SAs?

You are probably using reauth=yes (which is the default).  So instead of
rekeying the IKE_SA the daemon will first delete the current instance
(hence the "deleting IKE_SA..." message) and then setup a new IKE_SA
from scratch.  Try reauth=no to get regular IKE_SA rekeyings.


More information about the Users mailing list