MacOS IKEv2 VPN client not working with routerOS

cklee234 · January 26, 2023, 7:39am

I have configured my routerOS for ikev2 server using a CA certificate and .p12 files. It works well with iphone, and MacOS. But when my Macbook air M2 comes, the same files did not allow me to connect.

The Macbook air now comes with MacOS ventura 13.1. Not sure what I can do at the macbook to allow me to connect to the routerOS router

Thanks

CK

wispmikrotik · February 25, 2023, 10:33am

Hi,

Are you still having the same problem?

I am experiencing this issue on macOS ventura 13.2.1.

Config mikrotik server:

/ip ipsec mode-config
add address-pool=pool_full name=cfg_ikev2

/ip ipsec policy group
add name=group_ikev2

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=ecp256,ecp384,ecp521,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=pf_pha1_ikev2 prf-algorithm=sha256

/ip ipsec peer
add exchange-mode=ike2 name=peer_ikev2 passive=yes profile=pf_pha1_ikev2 send-initial-contact=no

/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc pfs-group=none
add auth-algorithms=sha512,sha256,sha1 name=pp_pha2_ikev2 pfs-group=none

/ip ipsec identity
add auth-method=eap-radius certificate=IKEv2_SV.new.crt comment="To_Radius" generate-policy=port-strict mode-config=cfg_ikev2 peer=peer_ikev2 policy-template-group=\
    group_ikev2

/ip ipsec policy
set 0 disabled=yes
add comment=Policy_IKEv2 group=group_ikev2 proposal=pp_pha2_ikev2 template=yes

/ip ipsec settings
set interim-update=1m xauth-use-radius=yes

Some log messages:

Client: 1.1.1.1
Server: 2.2.2.2
FQDN: vpn2.serverexample.com

Feb/21/2023 12:13:24 ipsec ike2 respond finish: request, exchange: SA_INIT:0 1.1.1.1[500] 2c045a2d3530d05e:0000000000000000
Feb/21/2023 12:13:24 ipsec processing payload: NONCE
Feb/21/2023 12:13:24 ipsec adding payload: SA
Feb/21/2023 12:13:24 ipsec,debug => (size 0x30)
Feb/21/2023 12:13:24 ipsec adding payload: KE
Feb/21/2023 12:13:24 ipsec,debug => (first 0x100 of 0x108)
Feb/21/2023 12:13:24 ipsec adding payload: NONCE
Feb/21/2023 12:13:24 ipsec,debug => (size 0x1c)
Feb/21/2023 12:13:24 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Feb/21/2023 12:13:24 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Feb/21/2023 12:13:24 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/21/2023 12:13:24 ipsec adding payload: CERTREQ
Feb/21/2023 12:13:24 ipsec <- ike2 reply, exchange: SA_INIT:0 1.1.1.1[500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:24 ipsec,debug ===== sending 437 bytes from 2.2.2.2[500] to 1.1.1.1[500]
Feb/21/2023 12:13:24 ipsec,debug 1 times of 437 bytes message will be sent to 1.1.1.1[500]
Feb/21/2023 12:13:24 ipsec,debug => skeyseed (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 3c46b50d bf3352ff e47fb88b bfa9b929 e7d20da1 9a4ba82e 48cd488b 00e52b43
Feb/21/2023 12:13:24 ipsec,debug => keymat (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 4434e8e7 0b425fca d9586ab9 0dee48e6 a32c7fc3 254a356f 7d51d86f 96344b18
Feb/21/2023 12:13:24 ipsec,debug => SK_ai (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug acd8cdcb 9233e191 dc73dd79 a26b2826 2fe0d778 44138176 6039028e d093134c
Feb/21/2023 12:13:24 ipsec,debug => SK_ar (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 3136f5d6 06cdd399 5e2ea0dc db99aa3a a6a7cdb3 8dcdbff0 c42e9f9f 397b4ed9
Feb/21/2023 12:13:24 ipsec,debug => SK_ei (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug a16f295e f6f48303 69d239fe ff1e2798 0296eedb e59bf390 152abf63 a9a07370
Feb/21/2023 12:13:24 ipsec,debug => SK_er (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug b3a92f3b 3c69b68a e49f5bd1 6db61fff 50e77637 50020f4b 8668d4f2 4ad7a31a
Feb/21/2023 12:13:24 ipsec,debug => SK_pi (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug d6378fd0 67540671 65068930 86512a9f 3076001c 396fadae 80dd5f3b dbb580da
Feb/21/2023 12:13:24 ipsec,debug => SK_pr (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 05f279c0 a4ece297 26b3828a 1884652f 42d0ec0e 64f1db63 4c3ca361 47af46ef
Feb/21/2023 12:13:24 ipsec,info new ike2 SA (R): peer_ikev2 2.2.2.2[500]-1.1.1.1[500] spi:a2bfd64d7df81189:2c045a2d3530d05e
Feb/21/2023 12:13:24 ipsec processing payloads: VID (none found)
Feb/21/2023 12:13:24 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:24 ipsec   notify: REDIRECT_SUPPORTED
Feb/21/2023 12:13:24 ipsec   notify: NAT_DETECTION_SOURCE_IP
Feb/21/2023 12:13:24 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Feb/21/2023 12:13:24 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/21/2023 12:13:24 ipsec (NAT-T) REMOTE LOCAL
Feb/21/2023 12:13:24 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:24 ipsec fragmentation negotiated
Feb/21/2023 12:13:25 ipsec,debug ===== received 512 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
Feb/21/2023 12:13:25 ipsec -> ike2 request, exchange: AUTH:1 1.1.1.1[4500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:25 ipsec payload seen: ENC (484 bytes)
Feb/21/2023 12:13:25 ipsec processing payload: ENC
Feb/21/2023 12:13:25 ipsec,debug => iv (size 0x10)
Feb/21/2023 12:13:25 ipsec,debug f050105d e9d9f3e0 14522bab 675bdeb4
Feb/21/2023 12:13:25 ipsec,debug decrypted packet
Feb/21/2023 12:13:25 ipsec payload seen: ID_I (12 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: ID_R (26 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: CONFIG (40 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: SA (200 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: TS_I (64 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: TS_R (64 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:25 ipsec   notify: INITIAL_CONTACT
Feb/21/2023 12:13:25 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Feb/21/2023 12:13:25 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
Feb/21/2023 12:13:25 ipsec   notify: MOBIKE_SUPPORTED
Feb/21/2023 12:13:25 ipsec ike auth: respond
Feb/21/2023 12:13:25 ipsec processing payload: ID_I
Feb/21/2023 12:13:25 ipsec ID_I (ADDR4): 192.168.86.149
Feb/21/2023 12:13:25 ipsec processing payload: ID_R
Feb/21/2023 12:13:25 ipsec ID_R (FQDN): vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec processing payload: AUTH (not found)
Feb/21/2023 12:13:25 ipsec requested server id: vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:25 ipsec   notify: INITIAL_CONTACT
Feb/21/2023 12:13:25 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Feb/21/2023 12:13:25 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
Feb/21/2023 12:13:25 ipsec   notify: MOBIKE_SUPPORTED
Feb/21/2023 12:13:25 ipsec ID_R (FQDN): vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec adding payload: ID_R
Feb/21/2023 12:13:25 ipsec,debug => (size 0x1a)
Feb/21/2023 12:13:25 ipsec,debug 0000001a 02000000 6c696e6b 322e6d79 77766c69 6e6b2e63 6f6d
Feb/21/2023 12:13:25 ipsec cert: C=SP, S=SP, L=VA, O=OPS Servers, OU=OPS IT We, CN=SV_vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec adding payload: CERT
Feb/21/2023 12:13:25 ipsec,debug => (first 0x100 of 0x265)
Feb/21/2023 12:13:25 ipsec,debug => auth nonce (size 0x10)
Feb/21/2023 12:13:25 ipsec,debug 3f8b407a c07ead09 ae0dd1c9 31deb7dd
Feb/21/2023 12:13:25 ipsec,debug => SK_p (size 0x20)
Feb/21/2023 12:13:25 ipsec,debug 05f279c0 a4ece297 26b3828a 1884652f 42d0ec0e 64f1db63 4c3ca361 47af46ef
Feb/21/2023 12:13:25 ipsec,debug => idhash (size 0x20)
Feb/21/2023 12:13:25 ipsec,debug 088f262b d712d809 26b74b7f 2bca3ae7 4041521d 738c61da b2bfd777 f5797d16
Feb/21/2023 12:13:25 ipsec,debug => my auth (size 0x40)
Feb/21/2023 12:13:25 ipsec,debug bc1f73ef 0874960b 64784007 5cf3b8e0 9b1dbac3 1d7878a4 327fa0bf 6b6962da
Feb/21/2023 12:13:25 ipsec,debug 38d14cb7 26f537f1 429bec18 76bf9d47 527e1dcc 6d6c3f2a 6ff7485b 70393181
Feb/21/2023 12:13:25 ipsec adding payload: AUTH
Feb/21/2023 12:13:25 ipsec,debug => (size 0x48)
Feb/21/2023 12:13:25 ipsec,debug 00000048 09000000 bc1f73ef 0874960b 64784007 5cf3b8e0 9b1dbac3 1d7878a4
Feb/21/2023 12:13:25 ipsec,debug 327fa0bf 6b6962da 38d14cb7 26f537f1 429bec18 76bf9d47 527e1dcc 6d6c3f2a
Feb/21/2023 12:13:25 ipsec,debug 6ff7485b 70393181
Feb/21/2023 12:13:25 ipsec adding payload: EAP
Feb/21/2023 12:13:25 ipsec,debug => (size 0x9)
Feb/21/2023 12:13:25 ipsec,debug 00000009 01000005 01
Feb/21/2023 12:13:25 ipsec <- ike2 reply, exchange: AUTH:1 1.1.1.1[4500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:25 ipsec,debug ===== sending 912 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Feb/21/2023 12:13:25 ipsec,debug 1 times of 916 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:26 ipsec,debug KA: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:26 ipsec,debug 1 times of 1 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:46 ipsec,debug KA: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:46 ipsec,debug 1 times of 1 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:54 ipsec child negitiation timeout in state 2
Feb/21/2023 12:13:54 ipsec,info killing ike2 SA: peer_ikev2 2.2.2.2[4500]-1.1.1.1[4500] spi:a2bfd64d7df81189:2c045a2d3530d05e
Feb/21/2023 12:13:54 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:54 ipsec,debug KA tree dump: 2.2.2.2[4500]->1.1.1.1[4500] (in_use=1)
Feb/21/2023 12:13:54 ipsec,debug KA removing this one...

Support for 4 days with no response yet.

Thanks!

Regards,

cklee234 · February 28, 2023, 10:19pm

Yes, I am unable to connect

memelchenkov · March 1, 2023, 5:28am

I successfully connect to IKEv2 VPN on macOS 13.2.1 M1 Max CPU both to 6.x branch and 7.x branch. Try also watch logs of IPsec in macOS Console.app.

wispmikrotik · March 1, 2023, 9:26am

With username/password + certificate?

Without certificate working.

Note: Support opened last 21/02/2023 with no response.

Regards,

memelchenkov · March 1, 2023, 3:26pm

With certificate only (User Authentication: None, Machine Authentication: Certificate).

wispmikrotik · March 1, 2023, 3:32pm

Hi,

Self generated certificates? RSA2048? ECDP?

Thanks!

memelchenkov · March 1, 2023, 5:14pm

Self-signed, RSA2048. Used fields are “Common Name” and “Subject Alt. Name: DNS” (same as “Common Name”). Key Usage - “tls client” for client and “tls server” for server.

wispmikrotik · March 1, 2023, 7:09pm

OK, thanks a lot!

I have the same and it still doesn’t work.

I’ll keep checking.

Thank you so much.

Regards,

Larsa · March 1, 2023, 7:31pm

The Console app (in the Utilities folder) might be useful to help locate the error in macOS. Enable “Errors and Faults” and look for “neagent” lines. IPsec logging is enabled by default.

memelchenkov · March 1, 2023, 7:33pm

I see only one big difference (except RADIUS auth)

Mine:

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=server-ikev2 pfs-group=none

And yours don’t have “enc-algorithms” for this string in your config. Maybe it will help?

Larsa · March 1, 2023, 9:15pm

I’ve been using IKE/IPsec on macOS 11/12 for a long time without any problems. However, it seems that some kind of changes has been made to macOS 13 (Ventura) since there are several others who have encountered difficulties with IKE/IPsec.

Just a few examples:

wispmikrotik · March 2, 2023, 10:47am

Hi,

Thanks.

I managed to get the IKEv2 client working with certificates.

But when it gets involved in the EAP process for radius, it doesn’t work:

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session: Processing response for message 5

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Failed to process IKE Auth (EAP) packet (connect)

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax" UserInfo={NSLocalizedDescription=PeerInvalidSyntax}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Failed to process IKE Auth packet (connect)

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE Auth packet (connect)}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Reporting state Disconnected error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] ChildSA[1, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Resetting IKEv2Session[1, ]

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Aborting session IKEv2Session[1, ]

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] KernelSASession[1, IKEv2 Session Database] Removing all SAs

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Invalidate

Regards,

wispmikrotik · March 3, 2023, 4:32pm

Hi,

Thank you all, I solved my problems. In my case it was a matter of the EAP configuration of the radius server, I needed to have the CA and SV certificate (which the mikrotik already had and it worked before…).

@cklee234 Can you attach screenshots of the configuration in the macOS and the logs of the mikrotik to try to help you if you wish?

Regards,

hapoo · March 3, 2023, 4:55pm

For anyone else who may have issues in the future… the ikev2 implementation in macOS/iOS/iPadOS is actually more flexible than what you see in your system settings. You can actually chose your own encryption algorithm, integrity algorithm and dh group along with a ton of other settings. In order to set it up you need to download and use Apple Configurator.

cklee234 · March 3, 2023, 10:57pm

I use certificate only

wispmikrotik · March 4, 2023, 7:47am

Hi,

Is the certificate marked as trust in macOS?

What is your setting on the mikrotik?

/ip ipsec export hide-sensitive

Regards,

cklee234 · March 4, 2023, 12:13pm

Certainly I trust the certificates already

wispmikrotik · March 4, 2023, 1:58pm

Hi,

In order to help you, we need you to attach the following:

Screenshot of the settings applied in macOS.
Mikrotik router configuration:

/ip ipsec export hide-sensitive

Mikrotik and macOS logs when the failure occurs.

Regards,

cklee234 · March 4, 2023, 11:29pm

here is my /ip ipsec export

/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
add address-pool=Xauth_Pool address-prefix-length=32 name=Xauth split-include=192.168.0.0/16 static-dns=192.168.118.1 system-dns=no
add address-pool=IKE2-Pool address-prefix-length=32 name=IKE2 static-dns=203.185.0.34 system-dns=no
add name=dVPS responder=no
/ip ipsec peer
add address=[some name] disabled=yes exchange-mode=ike2 local-address=[some IP] name=vps
/ip ipsec policy group
add name=xauth-s
add name=ike2-s
add name=ike2-c
add name=l2tp-s
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128 name=ros
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=draytek
add dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 name=vps
add name=dVPS
add name=defconf
/ip ipsec peer
add address=[some name] disabled=yes exchange-mode=ike2 local-address=[some IP] name=gfx.ike2c profile=ros
add address=[some name] disabled=yes local-address=[some ip] name=edmonduk profile=draytek
add address=[some name] disabled=yes local-address=[some ip] name=mandymak profile=draytek
add exchange-mode=ike2 local-address=[some ip] name=ike2-in-server.w4 passive=yes profile=ros
add local-address=[some ip] name=xauth-in-server.w1 passive=yes profile=ros
add exchange-mode=ike2 local-address=[some IP] name=ike2-in-server.w2 passive=yes profile=ros
add local-address=[some IP] name=l2tp-in-server.w3 passive=yes profile=defconf
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none
add enc-algorithms=aes-128-cbc name=ros pfs-group=none
add auth-algorithms=md5 enc-algorithms=3des name=draytek
add name=defconf
/ip ipsec identity

Suggestion to use stronger pre-shared key or different authentication method

add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=Xauth peer=xauth-in-server.w1 policy-template-group=xauth-s username=gw
add peer=mandymak
add auth-method=digital-signature certificate=ckleea.w4.serv generate-policy=port-strict mode-config=IKE2 peer=ike2-in-server.w4 policy-template-group=ike2-s remote-id=ignore
add peer=edmonduk
add generate-policy=port-strict peer=l2tp-in-server.w3 policy-template-group=l2tp-s remote-id=ignore
add auth-method=digital-signature certificate=ckleea.p12_0 generate-policy=port-strict mode-config=request-only peer=vps policy-template-group=ike2-c
add auth-method=digital-signature certificate=ckleea.w2.serv generate-policy=port-strict mode-config=IKE2 peer=ike2-in-server.w2 policy-template-group=ike2-s remote-id=ignore
add auth-method=digital-signature certificate=gfx_d2.client5-ckleea generate-policy=port-strict mode-config=request-only peer=gfx.ike2c policy-template-group=ike2-c
/ip ipsec policy
add disabled=yes dst-address=192.168.1.0/24 peer=mandymak proposal=draytek src-address=192.168.118.0/23 tunnel=yes
add disabled=yes dst-address=192.168.115.0/24 peer=edmonduk proposal=draytek src-address=192.168.118.0/24 tunnel=yes
add comment=IKE2-Clients group=ike2-c proposal=ros template=yes
add disabled=yes dst-address=192.168.88.0/25 level=unique peer=gfx.ike2c proposal=ros src-address=192.168.118.1/32 tunnel=yes
add disabled=yes dst-address=2001:88::/64 level=unique peer=gfx.ike2c proposal=ros src-address=fd00:118::1/128 tunnel=yes
add comment=IKEv2-Server group=ike2-s proposal=ros template=yes
add comment=Xauth-Server group=xauth-s proposal=ros template=yes
add comment=L2TP-Server group=l2tp-s proposal=defconf template=yes
set 8 comment="default template"

They work for L2TP and IKEv2 in both iPhone/iPad and older version of MacOS (i.e. before Ventura)

The picture is my IKEv2 configuration in Ventura. I used the same server name for both which works in other IOS/MacOS devices