diff --git a/Changes.rst b/Changes.rst
index de2d8b00..9258230f 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -271,6 +271,11 @@ User-visible Changes
   /etc/openvpn/client (depending on unit file).  This also avoids these new
   unit files and how they work to collide with older pre-existing unit files.
 
+- using ``--no-iv`` (which is generally not a recommended setup) will
+  require explicitly disabling NCP with ``--disable-ncp``.  This is
+  intentional because NCP will by default use AES-GCM, which requires
+  an IV - so we want users of that option to consciously reconsider.
+
 
 Maintainer-visible changes
 --------------------------
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 74f11395..fb0d0dec 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2341,9 +2341,9 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
   if (options->mute_replay_warnings)
     to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
 
-  to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
+  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
   if (packet_id_long_form)
-    to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
+    to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
 
   to.ssl_ctx = c->c1.ks.ssl_ctx;
   to.key_type = c->c1.ks.key_type;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 47acd97c..db1cfe35 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2234,6 +2234,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
     {
       msg (M_USAGE, "NCP cipher list contains unsupported ciphers.");
     }
+  if (options->ncp_enabled && !options->use_iv)
+    {
+      msg (M_USAGE, "--no-iv not allowed when NCP is enabled.");
+    }
 
   /*
    * Check consistency of replay options
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 34d163f6..f7217d38 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -881,9 +881,6 @@ key_state_init (struct tls_session *session, struct key_state *ks)
     }
 
   ks->crypto_options.pid_persist = NULL;
-  ks->crypto_options.flags = session->opt->crypto_flags;
-  ks->crypto_options.flags &= session->opt->crypto_flags_and;
-  ks->crypto_options.flags |= session->opt->crypto_flags_or;
 
 #ifdef MANAGEMENT_DEF_AUTH
   ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
@@ -1823,6 +1820,7 @@ tls_session_generate_data_channel_keys(struct tls_session *session)
 
   ASSERT (ks->authenticated);
 
+  ks->crypto_options.flags = session->opt->crypto_flags;
   if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi,
       &session->opt->key_type, ks->key_src, client_sid, server_sid,
       session->opt->server))
@@ -1857,9 +1855,9 @@ tls_session_update_crypto_params(struct tls_session *session,
       options->authname, options->keysize, true, true);
 
   bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher);
-  session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM);
+  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
   if (packet_id_long_form)
-    session->opt->crypto_flags_and = CO_PACKET_ID_LONG_FORM;
+    session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
 
   /* Update frame parameters: undo worst-case overhead, add actual overhead */
   frame_add_to_extra_frame (frame, -(crypto_max_overhead()));
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 7938f41f..8164bbcd 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -279,8 +279,6 @@ struct tls_options
 
   /* struct crypto_option flags */
   unsigned int crypto_flags;
-  unsigned int crypto_flags_and;
-  unsigned int crypto_flags_or;
 
   int replay_window;                   /* --replay-window parm */
   int replay_time;                     /* --replay-window parm */