Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

The --terminate command instructs the strongSwan IKE daemon to delete one or more Security Associations. It sends an IKEv2 INFORMATIONAL exchange with a DELETE payload to the remote peer, then removes the local SA and associated kernel policies.

Synopsis

swanctl --terminate --child <name> | --ike <name> |
                    --child-id <id> | --ike-id <id>
        [--force] [--timeout <s>] [--loglevel <level>] [--raw|--pretty]
You must specify exactly one of --child, --ike, --child-id, or --ike-id. Terminating an IKE_SA also tears down all CHILD_SAs within it.

Options

--child
string
Terminate all CHILD_SAs that match the given configuration name. All active CHILD_SAs derived from this config across any IKE_SA will be deleted.
--ike
string
Terminate the IKE_SA matching the given configuration name, including all of its CHILD_SAs.
--child-id
integer
Terminate a single CHILD_SA by its unique numeric identifier. Use swanctl --list-sas to find the ID (shown as #<id> in the CHILD_SA line).
--ike-id
integer
Terminate a single IKE_SA by its unique numeric identifier. The ID is shown as #<id> in the IKE_SA header from swanctl --list-sas.
--force
boolean
Tear down the SA locally without waiting for the DELETE exchange to complete. Use this when the remote peer is unreachable or unresponsive.
--timeout
integer
default:"0"
Seconds to wait for the DELETE exchange to finish before detaching. 0 (default) waits indefinitely. When combined with --force, the daemon still sends the DELETE but does not wait for acknowledgement.
--loglevel
integer
default:"1"
Verbosity of log messages streamed back over the control-log VICI event. Range: 0 (errors only) to 4 (full debug).
--raw
boolean
Print the raw VICI response message.
--pretty
boolean
Print the raw VICI response with pretty-print indentation. Implies --raw.
--uri
string
VICI socket URI. Overrides the default unix:///var/run/charon.vici.

Examples

Terminate an IKE_SA by config name

This closes the IKE_SA and all CHILD_SAs belonging to the net-net connection: 
swanctl --terminate --ike net-net
Expected output: 
[IKE] deleting IKE_SA net-net[1] between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
[IKE] sending DELETE for IKE_SA net-net[1]
[ENC] generating INFORMATIONAL request 3 [ D ]
terminate completed successfully

Terminate a specific CHILD_SA by config name

Only the CHILD_SA is removed; the parent IKE_SA remains active: 
swanctl --terminate --child home

Terminate by unique ID

Use the numeric ID from swanctl --list-sas output when multiple SAs share the same config name: 
swanctl --terminate --ike-id 3
swanctl --terminate --child-id 7

Force-delete an unreachable peer

When the remote gateway is down and you need to clean up local state immediately: 
swanctl --terminate --ike net-net --force

Exit codes

CodeMeaning
0SA terminated successfully
1Termination failed (error message printed to stderr)
otherConnection to VICI socket failed or unexpected error

See also