Setting IKEv2 Phase 2 in Mobile Config appears to generate invalid Apple Profile
Setting "Phase2 PFS Group - Provide the Phase2 PFS group to clients (overrides all mobile phase2 settings)" in Mobile Clients settings on at least IKEv2 appears to generate an invalid mobileconfig profile using the Apple IPsec Profile factory package (ipsec-profile-exporter).
Culprit is probably:
in the child SA config.
Workaround: disable in Mobile Clients config and enable DH group in Phase 2.