Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

The --rekey command asks the strongSwan IKE daemon to immediately rekey an existing Security Association, replacing its cryptographic material without tearing down the tunnel. For IKEv2 IKE_SAs you can optionally trigger a full reauthentication instead.

Synopsis

swanctl --rekey --child <name> | --ike <name> |
                --child-id <id> | --ike-id <id>
        [--reauth] [--raw|--pretty]
You must specify exactly one selector: --child, --ike, --child-id, or --ike-id. --reauth is only meaningful when rekeying an IKE_SA; it has no effect on CHILD_SAs.

Options

--child
string
Rekey all CHILD_SAs that match the given configuration name. A CREATE_CHILD_SA exchange negotiates fresh keys; the old CHILD_SA is deleted once the new one is installed.
--ike
string
Rekey the IKE_SA matching the given configuration name. strongSwan uses an IKE_SA rekeying exchange (RFC 7296 §2.18) to establish new IKE keys.
--child-id
integer
Rekey a single CHILD_SA by its unique numeric identifier. Use swanctl --list-sas to find the ID (shown as #<id> next to the CHILD_SA name).
--ike-id
integer
Rekey a single IKE_SA by its unique numeric identifier.
--reauth
boolean
Reauthenticate the IKE_SA instead of rekeying it. Reauthentication starts a completely new IKE_SA (new IKE_SA init + authentication exchanges) while the existing SA stays active until the new one is established. Only valid with --ike or --ike-id.
--raw
boolean
Print the raw VICI response message.
--pretty
boolean
Print the raw VICI response with pretty-print indentation. Implies --raw.
--uri
string
VICI socket URI. Overrides the default unix:///var/run/charon.vici.

Examples

Rekey a CHILD_SA by config name

swanctl --rekey --child net-net
Expected output: 
rekey completed successfully
The daemon performs a CREATE_CHILD_SA exchange in the background. If the rekey succeeds, the old CHILD_SA is deleted and the new one takes over without interrupting traffic flow.

Rekey an IKE_SA by config name

swanctl --rekey --ike roadwarrior

Rekey a specific SA by unique ID

When you have multiple active SAs from the same configuration, target one precisely with its ID from swanctl --list-sas: 
swanctl --rekey --child-id 5
swanctl --rekey --ike-id 2

Reauthenticate an IKE_SA

Force a full reauthentication, which re-runs IKE_SA_INIT and IKE_AUTH: 
swanctl --rekey --ike roadwarrior --reauth
Rekeying replaces the session keys of an existing SA without re-running authentication. Reauthentication (--reauth) also re-verifies peer identity, which is required when client certificates or EAP credentials have changed.

Rekey vs. reauthenticate

--rekey--reauth
Creates new keysYesYes
Re-runs authenticationNoYes
Applicable to CHILD_SAYesNo
Applicable to IKE_SAYesYes
Traffic interruptionNoneBrief (new SA established first)

Exit codes

CodeMeaning
0Rekey initiated successfully
1Rekey failed (error message printed to stderr)
otherConnection to VICI socket failed or unexpected error

See also