Hi, > esp=aes256gcm16-sha1! This hardly makes sense. You can specify an integrity algorithm if you have both AEAD and traditional ciphers. The peer then may select either the AEAD or the traditional encryption+integrity algorithms. > Does it removes the -sha1 part Any integrity algorithm specified for an AEAD-only proposal gets silently removed. Regards Martin