diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 344518e3c..692cc2bbe 100644
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
 
 WAIT_FOR_INTF=0
 
+CONFIG_FAIL=0
+
 time2seconds()
 {
 	local timestring="$1"
@@ -128,6 +130,11 @@ warning() {
 	echo "WARNING: $@" >&2
 }
 
+fatal() {
+	echo "ERROR: $@" >&2
+	CONFIG_FAIL=1
+}
+
 is_aead() {
 	local cipher="$1"
 
@@ -150,7 +157,7 @@ add_esp_proposal() {
 
 	# check for AEAD and clobber hash_algorithm if set
 	if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-		warning "Can't have $hash_algorithm with $encryption_algorithm"
+		fatal "Can't have $hash_algorithm with $encryption_algorithm"
 		hash_algorithm=
 	fi
 
@@ -182,7 +189,7 @@ add_ike_proposal() {
 
 	# check for AEAD and clobber hash_algorithm if set
 	if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-		warning "Can't have $hash_algorithm with $encryption_algorithm"
+		fatal "Can't have $hash_algorithm with $encryption_algorithm"
 		hash_algorithm=
 	fi
 
@@ -245,7 +252,7 @@ config_conn() {
 		# already using new syntax
 		;;
 	*)
-		warning "Startaction $startaction unknown"
+		fatal "Startaction $startaction unknown"
 		startaction=
 		;;
 	esac
@@ -261,7 +268,7 @@ config_conn() {
 		# already using new syntax
 		;;
 	*)
-		warning "Closeaction $closeaction unknown"
+		fatal "Closeaction $closeaction unknown"
 		closeaction=
 		;;
 	esac
@@ -283,7 +290,7 @@ config_conn() {
 		# already using new syntax
 		;;
 	*)
-		warning "Dpdaction $dpdaction unknown"
+		fatal "Dpdaction $dpdaction unknown"
 		dpdaction=
 		;;
 	esac
@@ -378,7 +385,7 @@ config_remote() {
 		# already using new syntax
 		;;
 	*)
-		warning "Fragmentation $fragmentation not supported"
+		fatal "Fragmentation $fragmentation not supported"
 		fragmentation=
 		;;
 	esac
@@ -395,7 +402,7 @@ config_remote() {
 	local ike_proposal
 	parse_ike_proposal "$1" ike_proposal
 
-	[ -n "$firewall" ] && warning "Firewall not supported"
+	[ -n "$firewall" ] && fatal "Firewall not supported"
 
 	swanctl_xappend0 "# config for $config_name"
 	swanctl_xappend0 "connections {"
@@ -434,7 +441,7 @@ config_remote() {
 	ikev2)
 		swanctl_xappend2 "version = 2" ;;
 	*)
-		warning "Keyexchange $keyexchange not supported"
+		fatal "Keyexchange $keyexchange not supported"
 		keyexchange=
 		;;
 	esac
@@ -489,7 +496,7 @@ config_remote() {
 			fi
 		fi
 	else
-		warning "AuthenticationMode $auth_mode not supported"
+		fatal "AuthenticationMode $auth_mode not supported"
 	fi
 
 	swanctl_xappend0 ""
@@ -593,6 +600,11 @@ start_service() {
 
 	[ $WAIT_FOR_INTF -eq 1 ] && return
 
+	if [ $CONFIG_FAIL -ne 0 ]; then
+		procd_set_param error "Invalid configuration"
+		return
+	fi
+
 	procd_open_instance
 
 	procd_set_param command $PROG --daemon charon --nofork