diff --git a/openstack/resource_openstack_vpnaas_ipsec_policy_v2.go b/openstack/resource_openstack_vpnaas_ipsec_policy_v2.go
index 086cd84d3..73824010c 100644
--- a/openstack/resource_openstack_vpnaas_ipsec_policy_v2.go
+++ b/openstack/resource_openstack_vpnaas_ipsec_policy_v2.go
@@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/vpnaas/ipsecpolicies"
@@ -42,16 +43,25 @@ func resourceIPSecPolicyV2() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"sha1", "sha256", "sha384", "sha512",
+				}, false),
 			},
 			"encapsulation_mode": {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"tunnel", "transport",
+				}, false),
 			},
 			"pfs": {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"group2", "group5", "group14",
+				}, false),
 			},
 			"encryption_algorithm": {
 				Type:     schema.TypeString,
@@ -66,6 +76,9 @@ func resourceIPSecPolicyV2() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"esp", "ah", "ah-esp",
+				}, false),
 			},
 
 			"tenant_id": {
diff --git a/website/docs/r/vpnaas_ipsec_policy_v2.html.markdown b/website/docs/r/vpnaas_ipsec_policy_v2.html.markdown
index 36abd0b42..3dccafebc 100644
--- a/website/docs/r/vpnaas_ipsec_policy_v2.html.markdown
+++ b/website/docs/r/vpnaas_ipsec_policy_v2.html.markdown
@@ -46,10 +46,10 @@ The following arguments are supported:
 * `encryption_algorithm` - (Optional) The encryption algorithm. Valid values are 3des, aes-128, aes-192 and so on.
     The default value is aes-128. Changing this updates the existing policy.
 
-* `pfs` - (Optional) The perfect forward secrecy mode. Valid values are Group2, Group5 and Group14. Default is Group5.
-    Changing this updates the existing policy.
+* `pfs` - (Optional) The perfect forward secrecy mode. Valid values are group2, group5 and group14. Default 
+    is group5. Changing this updates the existing policy.
 
-* `transform_protocol` - (Optional) The transform protocol. Valid values are ESP, AH and AH-ESP.
+* `transform_protocol` - (Optional) The transform protocol. Valid values are esp, ah and ah-esp.
     Changing this updates the existing policy. Default is ESP.
 
 * `lifetime` - (Optional) The lifetime of the security association. Consists of Unit and Value.