diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
 		char ebuf[128];
 
 		snprintf(ebuf, sizeof(ebuf),
-			"cannot open include filename: '%s': %s",
+			(strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+				"cannot open include filename: '%s': %s" :
+				"ignored loading default system-wide crypto-policies file '%s': %s",
 			iis->fileglob.gl_pathv[fcnt],
 			strerror(errno));
 		yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
 # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
 #
-# Manual:     ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
 
 config setup
-	# Normally, pluto logs via syslog. If you want to log to a file,
-	# specify below or to disable logging, eg for embedded systems, use
-	# the file name /dev/null
-	# Note: SElinux policies might prevent pluto writing to a log file at
-	#       an unusual location.
+	# Normally, pluto logs via syslog.
 	#logfile=/var/log/pluto.log
 	#
 	# Do not enable debug options to debug configuration issues!
 	#
-	# plutodebug "all", "none" or a combation from below:
-	# "raw crypt parsing emitting control controlmore kernel pfkey
-	#  natt x509 dpd dns oppo oppoinfo private".
-	# Note: "private" is not included with "all", as it can show confidential
-	#       information. It must be specifically specified
-	# examples:
 	# plutodebug="control parsing"
 	# plutodebug="all crypt"
-	# Again: only enable plutodebug when asked by a developer
-	#plutodebug=none
+	plutodebug=none
 	#
 	# NAT-TRAVERSAL support
 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
 	# This range has never been announced via BGP (at least up to 2015)
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
 
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
 # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
 include @IPSEC_CONFDDIR@/*.conf