> Yes, please. `YYERROR' is the common idiom after `yyerror()' if you > want to fail hard.
Good to hear! Below is what I would propose to add to the man page to make the [ESP only] a little clearer. Do you think this would be helpful? Index: iked.conf.5 =================================================================== RCS file: /cvs/src/sbin/iked/iked.conf.5,v retrieving revision 1.55 diff -u -p -u -r1.55 iked.conf.5 --- iked.conf.5 11 May 2019 16:30:23 -0000 1.55 +++ iked.conf.5 16 Aug 2019 08:50:52 -0000 @@ -846,6 +846,12 @@ not encryption: .It Li null Ta "" Ta "[ESP only]" .El .Pp +Transform followed by [IKE only] can only be used with the +.Ic ikesa +keyword, transforms with [ESP only] can only be used with the +.Ic childsa +keyword. +.Pp 3DES requires 24 bytes to form its 168-bit key. This is because the most significant bit of each byte is used for parity. .Pp
