diff -Naur libreswan-3.28-orig/lib/libipsecconf/confread.c libreswan-3.28/lib/libipsecconf/confread.c

--- libreswan-3.28-orig/lib/libipsecconf/confread.c	2019-05-20 23:01:54.000000000 -0400

+++ libreswan-3.28/lib/libipsecconf/confread.c	2019-05-21 16:59:20.861415770 -0400

@@ -1273,13 +1273,16 @@

 		switch (conn->options[KNCF_IKEv2]) {

 		case fo_never:

-		case fo_permit:

 			conn->policy |= POLICY_IKEV1_ALLOW;

 			/* clear any inherited default */

 			conn->policy &= ~POLICY_IKEV2_ALLOW;

 			break;

-

+		case fo_permit:

+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");

+			return TRUE;

 		case fo_propose:

+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");

+			return TRUE;

 		case fo_insist:

 			conn->policy |= POLICY_IKEV2_ALLOW;

 			/* clear any inherited default */

diff -Naur libreswan-3.28-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.28/programs/configs/d.ipsec.conf/ikev2.xml

--- libreswan-3.28-orig/programs/configs/d.ipsec.conf/ikev2.xml	2019-05-20 23:01:54.000000000 -0400

+++ libreswan-3.28/programs/configs/d.ipsec.conf/ikev2.xml	2019-05-21 16:54:07.584141191 -0400

@@ -1,13 +1,15 @@

   <varlistentry>

   <term><emphasis remap='B'>ikev2</emphasis></term>

   <listitem>

-<para>Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.

-Currently the accepted values are <emphasis remap='B'>no</emphasis>(the default),

-signifying only IKEv1 is accepted, or <emphasis remap='B'>yes</emphasis>,

+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.

+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)

+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),

 signifying only IKEv2 is accepted. Previous versions allowed the keywords

-<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>

-that would allow either IKEv1 or IKEv2, but this is no longer supported. The

-permit option is interpreted as no and the propose option is interpreted as yes.

+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>

+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options

+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream

+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means

+the same as insist.

 </para>

   </listitem>

   </varlistentry>

diff -Naur libreswan-3.28-orig/programs/whack/whack.c libreswan-3.28/programs/whack/whack.c

--- libreswan-3.28-orig/programs/whack/whack.c	2019-05-20 23:01:54.000000000 -0400

+++ libreswan-3.28/programs/whack/whack.c	2019-05-21 17:01:37.868865569 -0400

@@ -741,7 +741,7 @@

 	PS("ikev1-allow", IKEV1_ALLOW),

 	PS("ikev2-allow", IKEV2_ALLOW),

-	PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */

+	/* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/

 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),

 #ifdef XAUTH_HAVE_PAM

@@ -1683,7 +1683,7 @@

 		/* --ikev1-allow */

 		case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:

-		/* --ikev2-allow (now also --ikev2-propose) */

+		/* --ikev2-allow */

 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:

 		/* --allow-narrowing */