From 117e9edef844492ff5fd608036a4fecede337f45 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 6 Mar 2025 22:52:31 +0100
Subject: ipsec: T7225: iOS18+ always requires ExtendedAuthEnabled to be set

If this is unset, loading the iOS VPN profile will error out on the device
giving:

Profile Installation Failed
configuration is invalid:
Missing identity

My first assumption was an empty string in LocalIdentifier for IKE, but turned
out only adding this flag solved it.

This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec
remote-access: fix profile generators") but got reverted now.
---
 data/templates/ipsec/ios_profile.j2 | 2 --
 1 file changed, 2 deletions(-)

diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2
index eaf00018b..68e02b498 100644
--- a/data/templates/ipsec/ios_profile.j2
+++ b/data/templates/ipsec/ios_profile.j2
@@ -55,11 +55,9 @@
                 <!-- The server is authenticated using a certificate -->
                 <key>AuthenticationMethod</key>
                 <string>Certificate</string>
-{% if authentication.client_mode is vyos_defined and authentication.client_mode.startswith("eap") %}
                 <!-- The client uses EAP to authenticate -->
                 <key>ExtendedAuthEnabled</key>
                 <integer>1</integer>
-{% endif %}
                 <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES.
                      IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration -->
                 <key>IKESecurityAssociationParameters</key>
-- 
cgit v1.2.3