Unless I misunderstand the 6.3 docs, the following should be valid : childsa auth enc chacha20-poly1305 group curve25519
But i get an error "not a valid authentication mode". If I comment out that line, my configuration validates OK. The same happens if I copy/paste one of the examples from the docs (e.g. childsa enc aes-128 auth hmac-sha2-256 ) This is what my /etc/iked.conf looks like (excluding the macro lines, which have been wittheld to protect the innocent) : # MAIN CONFIG ikev2 esp from $local_subnet to $remote_subnet \ local $local_ip peer $remote_ip \ ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 \ #childsa enc aes-128 auth hmac-sha2-256\ srcid $local_ip dstid $remote_ip \ ikelifetime 4h lifetime 3h bytes 512M \ ikeauth ecdsa384