In general IKEv1 is still acceptable, unless you're dealing with a Cisco ASA which as of 2020 will only do SHA-1 in IKEv1
DH Group:
ideal is DH-19 or DH-20
minimum for reasonable security is DH-16, going below that is not recommended
groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak
as of 9.15.x, ASAs explicitly do not do group24 any more, and restrict availability of other groups to IKEv2 only. This is a problem because the default "work with Azure" VPN setup recipe picks group 24.
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.