Hey all.
So... this one kicked my arse for a while today looking at upgrading existing vyos firewalls to the nightly.
Specifically, site-to-site VPNs in 1.1.7 that don't specify an IKE dh-group will (silently) default to dh-group 2. It looks to me like the nightly doesn't specify a DH group at all under those circumstances, which is a duff configuration to my understanding.
I don't know if there's a configuration upgrade script that's run when versions are upgraded, but I think this needs to go from an implicit configuration to an explicit one.