ipsec: T7225: iOS18+ always requires ExtendedAuthEnabled to be set

If this is unset, loading the iOS VPN profile will error out on the device
giving:

Profile Installation Failed
configuration is invalid:
Missing identity

My first assumption was an empty string in LocalIdentifier for IKE, but turned
out only adding this flag solved it.

This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec
remote-access: fix profile generators") but got reverted now.

1 files changed, 0 insertions, 2 deletions

diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
index eaf00018b..68e02b498 100644
--- a/data/templates/ipsec/ios_profile.j2
+++ b/data/templates/ipsec/ios_profile.j2
@@ -55,11 +55,9 @@
                 <!-- The server is authenticated using a certificate -->
                 <key>AuthenticationMethod</key>
                 <string>Certificate</string>
-{% if authentication.client_mode is vyos_defined and authentication.client_mode.startswith("eap") %}
                 <!-- The client uses EAP to authenticate -->
                 <key>ExtendedAuthEnabled</key>
                 <integer>1</integer>
-{% endif %}
                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                 <key>IKESecurityAssociationParameters</key>