diff -Naur libreswan-3.27-orig/lib/libipsecconf/confread.c libreswan-3.27/lib/libipsecconf/confread.c
--- libreswan-3.27-orig/lib/libipsecconf/confread.c	2018-12-09 12:45:14.559217654 -0500
+++ libreswan-3.27/lib/libipsecconf/confread.c	2018-12-09 13:05:01.641609352 -0500
@@ -148,7 +148,7 @@
 	cfg->conn_default.policy =
 		POLICY_TUNNEL |
 		POLICY_ENCRYPT | POLICY_PFS |
-		POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW |	/* ikev2=permit */
+		POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE |	/* ikev2=insist */
 		POLICY_SAREF_TRACK |         /* sareftrack=yes */
 		POLICY_IKE_FRAG_ALLOW |      /* ike_frag=yes */
 		POLICY_ESN_NO;      	     /* esn=no */
@@ -1257,16 +1257,15 @@
 			break;
 
 		case fo_permit:
-			/* this is the default for now */
-			pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW;
-			break;
+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=yes or ikev2=no");
+			return TRUE;
 
 		case fo_propose:
-			pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
-			break;
+			starter_error_append(perrl, "ikev2=propose is no longer accepted. Use ikev2=yes or ikev2=no");
+			return TRUE;
 
 		case fo_insist:
-			pv2 =                      POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
+			pv2 = POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
 			break;
 		}
 		conn->policy = (conn->policy & ~POLICY_IKEV2_MASK) | pv2;
diff -Naur libreswan-3.27-orig/lib/libipsecconf/keywords.c libreswan-3.27/lib/libipsecconf/keywords.c
--- libreswan-3.27-orig/lib/libipsecconf/keywords.c	2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/lib/libipsecconf/keywords.c	2018-12-09 13:02:15.541619284 -0500
@@ -74,7 +74,7 @@
 static const struct keyword_enum_values kw_keyexchange_list = VALUES_INITIALIZER(kw_keyexchange_values);
 
 /*
- * Values for Four-State options, such as ikev2
+ * Values for Four-State options, such as ppk
  */
 static const struct keyword_enum_value kw_fourvalued_values[] = {
 	{ "never",     fo_never  },
diff -Naur libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml
--- libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml	2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml	2018-12-09 13:02:15.541619284 -0500
@@ -1,25 +1,13 @@
   <varlistentry>
   <term><emphasis remap='B'>ikev2</emphasis></term>
   <listitem>
-<para>IKEv2 (RFC 7296) settings to be used. Currently the accepted
-values are <emphasis remap='B'>permit</emphasis>(the default),
-signifying IKEv2 will be accepted if received, but IKEv1 will be used
-when initiating; <emphasis remap='B'>never</emphasis> or <emphasis
-remap='B'>no</emphasis> signifying no IKEv2 negotiation should be
-transmitted or accepted; <emphasis remap='B'>propose</emphasis> or
-<emphasis remap='B'>yes</emphasis> signifying that we permit IKEv1
-and IKEv2, and use IKEv2 as the default to initiate; and <emphasis
-remap='B'>insist</emphasis>signifying we only accept and receive IKEv2 -
-IKEv1 negotiations will be rejected.
-</para><para>
-If the ikev2= setting is set to <emphasis remap='B'>permit</emphasis>
-or <emphasis remap='B'>propose</emphasis>, Libreswan will try and detect a
-"bid down" attack from IKEv2 to IKEv1.  Since there is no standard for
-transmitting the IKEv2 capability with IKEv1, Libreswan uses a special
-Vendor ID "CAN-IKEv2". If a fall back from IKEv2 to IKEv1 was detected,
-and the IKEv1 negotiation contains Vendor ID "CAN-IKEv2", Libreswan will
-immediately attempt and IKEv2 rekey and refuse to use the IKEv1 connection.
-With an ikev2= setting of <emphasis remap='B'>insist</emphasis>, no IKEv1
-negotiation is allowed, and no bid down attack is possible.</para>
+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)
+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),
+signifying only IKEv2 is accepted. Previous versions allowed the keywords
+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
+now cause the connection to fail to load.
+</para>
   </listitem>
   </varlistentry>
diff -Naur libreswan-3.27-orig/programs/whack/whack.c libreswan-3.27/programs/whack/whack.c
--- libreswan-3.27-orig/programs/whack/whack.c	2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/whack/whack.c	2018-12-09 13:06:01.825333781 -0500
@@ -108,7 +108,7 @@
 		"	[--mtu <mtu>] \\\n"
 		"	[--priority <prio>] [--reqid <reqid>] \\\n"
 		"	[--tfc <size>] [--send-no-esp-tfc] \\\n"
-		"	[--ikev1-allow | --ikev2-allow | --ikev2-propose] \\\n"
+		"	[--ikev1-allow | --ikev2-allow ] \\\n"
 		"	[--allow-narrowing] [--sareftrack] [--sarefconntrack] \\\n"
 		"	[--ikefrag-allow | --ikefrag-force] [--no-ikepad] \\\n"
 		"	[--esn ] [--no-esn] [--decap-dscp] [--nopmtudisc] [--mobike] \\\n"
@@ -711,7 +711,6 @@
 
 	PS("ikev1-allow", IKEV1_ALLOW),
 	PS("ikev2-allow", IKEV2_ALLOW),
-	PS("ikev2-propose", IKEV2_PROPOSE),
 
 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
 #ifdef XAUTH_HAVE_PAM
@@ -1627,8 +1626,6 @@
 		case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
 		/* --ikev2-allow */
 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
-		/* --ikev2-propose */
-		case CDP_SINGLETON + POLICY_IKEV2_PROPOSE_IX:
 
 		/* --allow-narrowing */
 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_NARROWING_IX:
@@ -2191,6 +2188,15 @@
 		break;
 	}
 
+	/* fixup old to new style IKEv1/IKEv2 settings */
+        if (msg.policy & POLICY_IKEV2_ALLOW) {
+		/* IKEv2 now always has ALLOW+PROPOSE */
+		msg.policy |= POLICY_IKEV2_PROPOSE;
+	}
+	if (msg.policy & POLICY_IKEV2_ALLOW &&
+		msg.policy & POLICY_IKEV1_ALLOW) {
+		diag("connection cannot be both ikev1 and ikev2");
+	}
 
 	if (oppo_dport != 0)
 		setportof(htons(oppo_dport), &msg.oppo_peer_client);
@@ -2267,11 +2273,12 @@
 				diag("must specify connection authentication, eg --rsasig, --psk or --auth-null for non-shunt connection");
 
 			/*
-			 * If neither v1 nor v2, default to v1
-			 * (backward compatibility)
+			 * If neither v1 nor v2, default to v2
 			 */
-			if (!(msg.policy & POLICY_IKEV2_MASK))
-				msg.policy |= POLICY_IKEV1_ALLOW;
+			if (!(msg.policy & POLICY_IKEV2_MASK)) {
+				msg.policy |= POLICY_IKEV2_ALLOW;
+				msg.policy |= POLICY_IKEV2_PROPOSE;
+			}
 
 			/*
 			 * ??? this test can never fail: