[Openswan Users] Re: [strongSwan] PROTO_IPSEC_ESP SA not found (maybe expired)

Andreas Steffen andreas.steffen at strongsec.net
Fri Sep 3 15:06:33 CEST 2004

When an IPsec SA is about to expire *swan sends a delete SA notification
to the peer. Since the same IPsec SA is also about to expire on the
peer side, often the peer is a little faster and has already deleted
the IPsec SA itself. Thus when the delete SA message arrives, the IPsec SA
doesn't exist anymore and the warning below is issued in the log.

If you want to study the SA renewal and deletion mechanism in detail
you can do this by activating the following debug option

   ipsec whack --debug-lifecycle



mailinglists wrote:
> Hi 
> sorry to crosspost this to two mailinglists. 
> I get this error on both StrongSwan 2.2.0 and OpenSwan 2.1.5 on a
> vanilla kernel box (Slackware 9.1):
> ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x25d1db74) not found
> (maybe expired)
> I get ping trough any tunnel but no other traffic. 
> Thanks for any help
> Philipp

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list