On 2018-09-10, Tim Jones <b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch> wrote: > Unless I misunderstand the 6.3 docs, the following should be valid : > childsa auth enc chacha20-poly1305 group curve25519
For the AEAD types like chacha20-poly1305 and aes-256-gcm, just specify them in "enc" and leave out "auth". > But i get an error "not a valid authentication mode". If I comment out that > line, my configuration validates OK. > > The same happens if I copy/paste one of the examples from the docs (e.g. > childsa enc aes-128 auth hmac-sha2-256 ) > > This is what my /etc/iked.conf looks like (excluding the macro lines, which > have been wittheld to protect the innocent) : > > # MAIN CONFIG > ikev2 esp from $local_subnet to $remote_subnet \ > local $local_ip peer $remote_ip \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group > curve25519 \ > #childsa enc aes-128 auth hmac-sha2-256\ > srcid $local_ip dstid $remote_ip \ > ikelifetime 4h lifetime 3h bytes 512M \ > ikeauth ecdsa384 "ikeauth" isn't a keyword to be used in the file, it's something that is replaced with either "eap <type>", "ecdsa###", "psk <string>", etc.
