diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index e298a09..bde38a1 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -158,11 +158,14 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
 fi
 
 # Update ipsec.conf options
-sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
-    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+sed -i.old -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
+    -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
+    -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \
+    -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \
+    -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \
+    -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 45e95fc..59fa2e1 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -155,11 +155,14 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf options
-sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
-    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+sed -i.old -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
+    -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
+    -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1\$/$IKE_NEW/" \
+    -e "s/^[[:space:]]\+ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$IKE_NEW/" \
+    -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1\$/$PHASE2_NEW/" \
+    -e "s/^[[:space:]]\+phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256\$/$PHASE2_NEW/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart