diff --git a/backend/ipsec/handle_xfrm.go b/backend/ipsec/handle_xfrm.go
index cdbb79f724..490ce502ae 100644
--- a/backend/ipsec/handle_xfrm.go
+++ b/backend/ipsec/handle_xfrm.go
@@ -16,8 +16,10 @@
 package ipsec
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"syscall"
 
 	log "github.com/golang/glog"
 	"github.com/vishvananda/netlink"
@@ -30,7 +32,7 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
 
 	dst := remoteLease.Subnet.ToIPNet()
 
-	policy := netlink.XfrmPolicy{
+	policy := &netlink.XfrmPolicy{
 		Src: src,
 		Dst: dst,
 		Dir: dir,
@@ -47,14 +49,23 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
 		Reqid: reqID,
 	}
 
-	log.Infof("Adding ipsec policy: %+v", tmpl)
-
 	policy.Tmpls = append(policy.Tmpls, tmpl)
 
-	if err := netlink.XfrmPolicyAdd(&policy); err != nil {
-		return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
+	if existingPolicy, err := netlink.XfrmPolicyGet(policy); err != nil {
+		if errors.Is(err, syscall.ENOENT) {
+			log.Infof("Adding ipsec policy: %+v", tmpl)
+			if err := netlink.XfrmPolicyAdd(policy); err != nil {
+				return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
+			}
+		} else {
+			return fmt.Errorf("error getting policy: %+v err: %v", policy, err)
+		}
+	} else {
+		log.Info("Updating ipsec policy %+v with %+v", existingPolicy, policy)
+		if err := netlink.XfrmPolicyUpdate(policy); err != nil {
+			return fmt.Errorf("error updating policy: %+v err: %v", policy, err)
+		}
 	}
-
 	return nil
 }