1 files changed, 17 insertions, 1 deletions

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index a4cd33e64..d3065fc47 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -102,9 +102,20 @@ def get_config(config=None):
                                                    ipsec['esp_group'][group])
     if 'ike_group' in ipsec:
         default_values = defaults(base + ['ike-group'])
+        # proposal is a tag node which may come with individual defaults per node
+        if 'proposal' in default_values:
+            del default_values['proposal']
+
         for group in ipsec['ike_group']:
             ipsec['ike_group'][group] = dict_merge(default_values,
                                                    ipsec['ike_group'][group])
+
+            if 'proposal' in ipsec['ike_group'][group]:
+                default_values = defaults(base + ['ike-group', 'proposal'])
+                for proposal in ipsec['ike_group'][group]['proposal']:
+                    ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values,
+                        ipsec['ike_group'][group]['proposal'][proposal])
+
     if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
         default_values = defaults(base + ['remote-access', 'connection'])
         for rw in ipsec['remote_access']['connection']:
@@ -133,7 +144,7 @@ def get_config(config=None):
         l2tp_defaults = defaults(l2tp_base)
         ipsec['l2tp'] = dict_merge(l2tp_defaults, ipsec['l2tp'])
         ipsec['l2tp_outside_address'] = conf.return_value(['vpn', 'l2tp', 'remote-access', 'outside-address'])
-        ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024'
+        ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024'
         ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1'
 
     return ipsec
@@ -250,6 +261,11 @@ def verify(ipsec):
                 if 'ike_group' in ra_conf:
                     if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']:
                         raise ConfigError(f"Invalid ike-group on {name} remote-access config")
+
+                    ike = ra_conf['ike_group']
+                    if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                        raise ConfigError('IPSec remote-access connections requires IKEv2!')
+
                 else:
                     raise ConfigError(f"Missing ike-group on {name} remote-access config")