diff --git a/neutronclient/neutron/v2_0/vpn/ikepolicy.py b/neutronclient/neutron/v2_0/vpn/ikepolicy.py
index fe41655..2a5d91b 100644
--- a/neutronclient/neutron/v2_0/vpn/ikepolicy.py
+++ b/neutronclient/neutron/v2_0/vpn/ikepolicy.py
@@ -49,7 +49,7 @@ class CreateIKEPolicy(neutronv20.CreateCommand):
             help=_('Description of the IKE policy'))
         parser.add_argument(
             '--auth-algorithm',
-            default='sha1', choices=['sha1'],
+            default='sha1', choices=['sha1', 'sha256'],
             help=_('Authentication algorithm in lowercase. '
                    'Default:sha1'))
         parser.add_argument(
diff --git a/neutronclient/neutron/v2_0/vpn/ipsecpolicy.py b/neutronclient/neutron/v2_0/vpn/ipsecpolicy.py
index 8f62964..5da4515 100644
--- a/neutronclient/neutron/v2_0/vpn/ipsecpolicy.py
+++ b/neutronclient/neutron/v2_0/vpn/ipsecpolicy.py
@@ -53,7 +53,7 @@ class CreateIPsecPolicy(neutronv20.CreateCommand):
             help=_('Transform protocol in lowercase, default:esp'))
         parser.add_argument(
             '--auth-algorithm',
-            default='sha1', choices=['sha1'],
+            default='sha1', choices=['sha1', 'sha256'],
             help=_('Authentication algorithm in lowercase, default:sha1'))
         parser.add_argument(
             '--encryption-algorithm',
diff --git a/neutronclient/tests/unit/vpn/test_cli20_ikepolicy.py b/neutronclient/tests/unit/vpn/test_cli20_ikepolicy.py
index c6ac8fb..1dbf588 100644
--- a/neutronclient/tests/unit/vpn/test_cli20_ikepolicy.py
+++ b/neutronclient/tests/unit/vpn/test_cli20_ikepolicy.py
@@ -25,13 +25,14 @@ class CLITestV20VpnIkePolicyJSON(test_cli20.CLITestV20Base):
 
     non_admin_status_resources = ['ikepolicy']
 
-    def test_create_ikepolicy_all_params(self):
+    def _test_create_ikepolicy_all_params(self, auth='sha1',
+                                          expected_exc=None):
         # vpn-ikepolicy-create all params.
         resource = 'ikepolicy'
         cmd = ikepolicy.CreateIKEPolicy(test_cli20.MyApp(sys.stdout), None)
         name = 'ikepolicy1'
         description = 'my-ike-policy'
-        auth_algorithm = 'sha1'
+        auth_algorithm = auth
         encryption_algorithm = 'aes-256'
         ike_version = 'v1'
         phase1_negotiation_mode = 'main'
@@ -67,9 +68,27 @@ class CLITestV20VpnIkePolicyJSON(test_cli20.CLITestV20Base):
             },
         }
 
-        self._test_create_resource(resource, cmd, name, my_id, args,
-                                   position_names, position_values,
-                                   extra_body=extra_body)
+        if not expected_exc:
+            self._test_create_resource(resource, cmd, name, my_id, args,
+                                       position_names, position_values,
+                                       extra_body=extra_body)
+        else:
+            self.assertRaises(
+                expected_exc,
+                self._test_create_resource,
+                resource, cmd, name, my_id, args,
+                position_names, position_values,
+                extra_body=extra_body)
+
+    def test_create_ikepolicy_all_params(self):
+        self._test_create_ikepolicy_all_params()
+
+    def test_create_ikepolicy_auth_sha256(self):
+        self._test_create_ikepolicy_all_params(auth='sha256')
+
+    def test_create_ikepolicy_invalid_auth(self):
+        self._test_create_ikepolicy_all_params(auth='xyz',
+                                               expected_exc=SystemExit)
 
     def test_create_ikepolicy_with_limited_params(self):
         # vpn-ikepolicy-create with limited params.
diff --git a/neutronclient/tests/unit/vpn/test_cli20_ipsecpolicy.py b/neutronclient/tests/unit/vpn/test_cli20_ipsecpolicy.py
index c6b23e1..c8f70f6 100644
--- a/neutronclient/tests/unit/vpn/test_cli20_ipsecpolicy.py
+++ b/neutronclient/tests/unit/vpn/test_cli20_ipsecpolicy.py
@@ -25,13 +25,14 @@ class CLITestV20VpnIpsecPolicyJSON(test_cli20.CLITestV20Base):
 
     non_admin_status_resources = ['ipsecpolicy']
 
-    def test_create_ipsecpolicy_all_params(self):
+    def _test_create_ipsecpolicy_all_params(self, auth='sha1',
+                                            expected_exc=None):
         # vpn-ipsecpolicy-create all params with dashes.
         resource = 'ipsecpolicy'
         cmd = ipsecpolicy.CreateIPsecPolicy(test_cli20.MyApp(sys.stdout), None)
         name = 'ipsecpolicy1'
         description = 'first-ipsecpolicy1'
-        auth_algorithm = 'sha1'
+        auth_algorithm = auth
         encryption_algorithm = 'aes-256'
         encapsulation_mode = 'tunnel'
         pfs = 'group5'
@@ -66,9 +67,27 @@ class CLITestV20VpnIpsecPolicyJSON(test_cli20.CLITestV20Base):
             },
         }
 
-        self._test_create_resource(resource, cmd, name, my_id, args,
-                                   position_names, position_values,
-                                   extra_body=extra_body)
+        if not expected_exc:
+            self._test_create_resource(resource, cmd, name, my_id, args,
+                                       position_names, position_values,
+                                       extra_body=extra_body)
+        else:
+            self.assertRaises(
+                expected_exc,
+                self._test_create_resource,
+                resource, cmd, name, my_id, args,
+                position_names, position_values,
+                extra_body=extra_body)
+
+    def test_create_ipsecpolicy_all_params(self):
+        self._test_create_ipsecpolicy_all_params()
+
+    def test_create_ipsecpolicy_auth_sha256(self):
+        self._test_create_ipsecpolicy_all_params(auth='sha256')
+
+    def test_create_ipsecpolicy_invalid_auth(self):
+        self._test_create_ipsecpolicy_all_params(auth='xyz',
+                                                 expected_exc=SystemExit)
 
     def test_create_ipsecpolicy_with_limited_params(self):
         # vpn-ipsecpolicy-create with limited params.