Setting IKEv2 Phase 2 in Mobile Config appears to generate invalid Apple Profile
Setting "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" in Mobile Clients settings on at least IKEv2 appears to generate an invalid mobileconfig profile using the Apple IPsec Profile factory package (ipsec-profile-exporter).
Culprit is probably:
in the child SA config.
Workaround: disable in Mobile Clients config and enable DH group in Phase 2.
#3 Updated by Viktor Gurov 4 months ago
tested on pfSense 2.4.5.a.20200120.1342 with ipsec-profile-wizard 0.12
no such issue - you can set DH group in both Phase 2 and "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" and get correct DH group numbers in remote-access-ipsec.mobileconfig