SA Events - strongSwan

The daemon fires these events asynchronously when SA state changes. Register for them using EVENT_REGISTER before the event can occur (see protocol for the registration sequence).

ike-updown

Fired when an IKE_SA is established or terminated.

string

Present and set to yes for an up (established) event. Absent on a down (terminated) event.

<IKE_SA config name>

section

SA data section named after the IKE configuration. Contains the same fields as the list-sa event, but without the child-sas subsection.

ike-rekey

Fired when an IKE_SA is rekeyed.

<IKE_SA config name>

section

SA data section containing two subsections:

Show fields

old

section

The old IKE_SA data (same fields as list-sa, without child-sas).

new

section

The new IKE_SA data (same fields as list-sa, without child-sas).

ike-update

Fired when the local or remote endpoint address of an IKE_SA is about to change (MOBIKE or similar). At least one address or port differs from the previous value.

local-host

string

New local IKE endpoint address.

local-port

string

New local IKE endpoint port.

remote-host

string

New remote IKE endpoint address.

remote-port

string

New remote IKE endpoint port.

<IKE_SA config name>

section

SA data listing the old addresses/ports (same fields as list-sa, without child-sas).

child-updown

Fired when a CHILD_SA is established or terminated.

string

Present and set to yes for an up (established) event. Absent on a down (terminated) event.

<IKE_SA config name>

section

SA data section (same fields as list-sa) containing only the affected CHILD_SA in child-sas.

child-rekey

Fired when a CHILD_SA is rekeyed.

<IKE_SA config name>

section

SA data section (same fields as list-sa) where child-sas contains:

Show child-sas structure

<child-sa-name>

section

Show fields

old

section

The old CHILD_SA data (same fields as in list-sa).

new

section

The new CHILD_SA data (same fields as in list-sa).

list-sa

Streamed during an active list-sas command. Each event carries one IKE_SA and its CHILD_SAs.

<IKE_SA config name>

section

Show IKE_SA fields

uniqueid

string

Unique IKE_SA identifier.

version

string

IKE version: 1 or 2.

state

string

IKE_SA state name.

local-host

string

Local IKE endpoint address.

local-port

string

Local IKE endpoint port.

local-id

string

Local IKE identity.

remote-host

string

Remote IKE endpoint address.

remote-port

string

Remote IKE endpoint port.

remote-id

string

Remote IKE identity.

remote-xauth-id

string

Remote XAuth identity (XAuth-authenticated sessions only).

remote-eap-id

string

Remote EAP identity (EAP-authenticated sessions only).

initiator

string

yes if this peer initiated the IKE_SA.

initiator-spi

string

Hex-encoded initiator SPI / cookie.

responder-spi

string

Hex-encoded responder SPI / cookie.

nat-local

string

yes if the local endpoint is behind NAT.

nat-remote

string

yes if the remote endpoint is behind NAT.

nat-fake

string

yes if the NAT situation was faked as responder.

nat-any

string

yes if any endpoint is behind NAT (including faked).

if-id-in

string

Hex-encoded default inbound XFRM interface ID.

if-id-out

string

Hex-encoded default outbound XFRM interface ID.

encr-alg

string

IKE encryption algorithm name.

encr-keysize

string

Key size for encr-alg, if applicable.

integ-alg

string

IKE integrity algorithm name.

integ-keysize

string

Key size for integrity algorithm, if applicable.

prf-alg

string

IKE pseudo-random function name.

dh-group

string

IKE key exchange method name.

ake1 … ake7

string

Additional IKE key exchange method names (post-quantum hybrid KE), if negotiated.

established

string

Seconds the IKE_SA has been established.

rekey-time

string

Seconds until the IKE_SA is rekeyed.

reauth-time

string

Seconds until the IKE_SA is re-authenticated.

local-vips

list

Virtual IPs assigned by the remote peer, installed locally.

remote-vips

list

Virtual IPs assigned to the remote peer.

tasks-queued

list

Tasks queued for execution.

tasks-active

list

Tasks currently being initiated actively.

tasks-passive

list

Tasks currently being handled passively.

child-sas

section

One subsection per CHILD_SA, named <child-sa-name> (unique within this IKE_SA).

Show CHILD_SA fields

name

string

CHILD_SA configuration name.

uniqueid

string

Unique CHILD_SA identifier.

reqid

string

Request ID of the CHILD_SA.

state

string

CHILD_SA state string.

mode

string

IPsec mode: tunnel, transport, or beet.

protocol

string

IPsec protocol: AH or ESP.

encap

string

yes if using UDP encapsulation.

spi-in

string

Hex-encoded inbound SPI.

spi-out

string

Hex-encoded outbound SPI.

encr-alg

string

ESP encryption algorithm name.

encr-keysize

string

ESP encryption key size, if applicable.

integ-alg

string

ESP or AH integrity algorithm name.

esn

string

1 if using extended sequence numbers.

bytes-in

string

Input bytes processed.

packets-in

string

Input packets processed.

bytes-out

string

Output bytes processed.

packets-out

string

Output packets processed.

rekey-time

string

Seconds until CHILD_SA is rekeyed.

life-time

string

Seconds until CHILD_SA expires.

install-time

string

Seconds the CHILD_SA has been installed.

local-ts

list

Local traffic selectors.

remote-ts

list

Remote traffic selectors.

list-policy

Streamed during an active list-policies command. Each event describes one installed policy.

<ike-config/child-config>

section

Show fields

child

string

CHILD_SA configuration name.

ike

string

IKE_SA configuration name or namespace, if available.

mode

string

Policy mode: tunnel, transport, pass, or drop.

label

string

Hex-encoded security label, if set.

local-ts

list

Local traffic selectors.

remote-ts

list

Remote traffic selectors.

list-conn

Streamed during an active list-conns command. Each event describes one loaded connection.

<IKE_SA connection name>

section

Show fields

local_addrs

list

Valid local IKE endpoint addresses.

remote_addrs

list

Valid remote IKE endpoint addresses.

local_port

string

Local IKE endpoint port.

remote_port

string

Remote IKE endpoint port.

version

string

IKE version: IKEv1, IKEv2, or 0 for any.

reauth_time

string

IKE_SA reauthentication interval in seconds.

rekey_time

string

IKE_SA rekeying interval in seconds.

local*, remote*

section

Multiple authentication sections. Each contains class, eap-type, id, certs, cacerts, groups, and related auth fields.

children

section

CHILD_SA configurations, each with mode, rekey_time, rekey_bytes, rekey_packets, local-ts, and remote-ts.

list-cert

Streamed during an active list-certs command.

type

string

Certificate type: X509, X509_AC, X509_CRL, OCSP_RESPONSE, or PUBKEY.

flag

string

X.509 certificate flag: NONE, CA, AA, or OCSP.

has_privkey

string

Set if a private key for this certificate is available in the daemon.

data

string

ASN.1 encoded certificate data.

subject

string

Subject string. Present when type is PUBKEY.

not-before

string

Validity start time. Present when type is PUBKEY.

not-after

string

Validity end time. Present when type is PUBKEY.

list-authority

Streamed during an active list-authorities command.

section

Show fields

cacert

string

Subject distinguished name of the CA certificate.

crl_uris

list

CRL distribution URIs (http, ldap, or file).

ocsp_uris

list

OCSP responder URIs (http).

cert_uri_base

string

Base URI for downloading certificates using hash-and-URL.

alert

Fired for specific error conditions. Some alerts include an associated IKE_SA.

type

string

Alert type string. See the full list below.

ike-sa

section

Present when the alert is associated with an IKE_SA. Contains a subsection named after the IKE configuration with the same fields as list-sa (without child-sas).

Alert type values

Value	Description
`authorization-failed`	An authorization hook failed
`cert-exceeded-path-len`	Certificate trust chain length exceeds the configured limit
`cert-expired`	Certificate rejected — it has expired
`cert-no-issuer`	Certificate rejected — no trusted issuer found
`cert-policy-violation`	Certificate rejected — other policy violation
`cert-revoked`	Certificate rejected — it has been revoked
`cert-untrusted-root`	Certificate rejected — root CA not trusted
`cert-validation-failed`	Certificate rejected — status validation failed
`half-open-timeout`	Half-open timeout reached before IKE_SA was established
`ike-sa-expired`	IKE_SA hit hard lifetime limit before it could be rekeyed
`install-child-policy-failed`	Installation of IPsec policy failed
`install-child-sa-failed`	Installation of IPsec SAs failed
`invalid-ike-spi`	Received IKE message with an invalid SPI
`keep-on-child-sa-failure`	IKE_SA kept alive after a failed CHILD_SA establishment
`local-auth-failed`	Local peer authentication failed (by us or by peer)
`parse-error-body`	Received IKE message with an invalid body
`parse-error-header`	Received IKE message with an invalid header
`peer-addr-failed`	Failed to resolve peer address
`peer-auth-failed`	Peer authentication failed
`peer-init-unreachable`	Peer did not respond to the initial message
`proposal-mismatch-child`	CHILD_SA proposals do not match
`proposal-mismatch-ike`	IKE proposals do not match
`radius-not-responding`	A RADIUS server did not respond
`retransmit-receive`	Received a retransmit for a message
`retransmit-send`	Sending a retransmit for a message
`retransmit-send-cleared`	Received a response for a retransmitted request
`retransmit-send-timeout`	Sending retransmits timed out
`shutdown-signal`	A shutdown signal was received
`ts-mismatch`	Traffic selectors do not match
`ts-narrowed`	Traffic selectors were narrowed (by us or by peer)
`unique-keep`	IKE_SA deleted due to `keep` unique policy
`unique-replace`	IKE_SA deleted due to `replace` unique policy
`vip-failure`	Allocating a virtual IP address failed

Documentation Index

​ike-updown

​ike-rekey

​ike-update

​child-updown

​child-rekey

​list-sa

​list-policy

​list-conn

​list-cert

​list-authority

​alert

​Alert type values

ike-updown

ike-rekey

ike-update

child-updown

child-rekey

list-sa

list-policy

list-conn

list-cert

list-authority

alert

Alert type values