The following looks OK to me. Taking a ``should never get here'' case,
  and forcing level to IPSEC_LEVEL_REQUIRE strikes me as a bug, so I
  haven't (yet) done it.  Any objections to checking in the change below?

That diff looks good to me, and a similar change in netinet6/ipsec.c
is in order.

I don't understand your comment about 'should never get here' and
REQUIRE; I think this is a simple coding error and nothing more.

  BTW, I got the code from FreeBSD, so I assume they have the same
  issue.  Who are the current maintainers of FreeBSD's FAST_IPSEC?

Probably they got it from FreeBSD's KAME, since it matches the bug in
NetBSD's KAME.