Hi Michael, > xfrm_acq_expires is the time the kernel holds an acquire event before it > drops it.
The kernel currently uses the same timeout for SPIs allocated from the kernel for inbound SAs (as done before sending IKE_AUTH/CREATE_CHILD_SA requests), which creates a temporary state that is later updated when the SA's details are known and the keys are derived. If it expired in the mean time, it's theoretically possible that the SPI was reallocated for another SA/request. But since that's unlikely (the kernel allocates them randomly) current versions of the daemon will attempt to install a new SA with the same SPI if updating fails because the temporary state has already expired. This is also the reason why the default value for xfrm_acq_expires set by the kernel-netlink plugin is based on the configured retransmission timeout. However, only for a single exchange. If e.g. IKE_AUTH requires multiple exchanges due to EAP, the SPI might still expire before the IKE_SA does. Regards, Tobias