I ran into problems with Apple clients failing to connect to iked after updating a machine to 7.1, introduced by https://github.com/openbsd/src/commit/e3f5cf2ee26929d75dc2df9e86d97c36b2a94268
spi=0xac3d46687441f957: recv IKE_SA_INIT req 0 peer rrr.rrr.rrr.rr:49436 local lll.ll.lll.lll:500, 308 bytes, policy 'default' spi=0xac3d46687441f957: send IKE_SA_INIT res 0 peer rrr.rrr.rrr.rr:49436 local lll.ll.lll.lll:500, 341 bytes spi=0xac3d46687441f957: recv IKE_AUTH req 1 peer rrr.rrr.rrr.rr:64892 local lll.ll.lll.lll:4500, 368 bytes, policy 'default' policy_test: localid mismatch spi=0xac3d46687441f957: ikev2_ike_auth_recv: no compatible policy found spi=0xac3d46687441f957: ikev2_send_auth_failed: authentication failed for spi=0xac3d46687441f957: send IKE_AUTH res 1 peer rrr.rrr.rrr.rr:64892 local lll.ll.lll.lll:4500, 80 bytes, NAT-T spi=0xac3d46687441f957: sa_free: authentication failed I don't have full details of config done on the other side nor any fruit-based phones to test from myself, did anyone already run into this and figure out a way around it? I'm currently running code backed out to "cvs up -D'2021/11/26 15:00'" as a workaround. My config looks like ----- set fragmentation ikev2 "default" passive esp from 0.0.0.0/0 to dynamic \ \ local lll.ll.lll.lll \ peer any \ \ ikesa enc aes-128-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ ikesa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ \ childsa enc aes-128-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ \ srcid "xxxxxxxxxxxxxxxxxxxx" \ lifetime 3h bytes 5G \ eap "mschap-v2" \ config address ttt.ttt.tt.ttt/26 \ config name-server lll.ll.lll.aa \ config name-server lll.ll.lll.bb \ tag "$name-$id" ikev2 "keysim" active tunnel esp from 0.0.0.0/0 to 100.70.76.0/22 \ local lll.ll.lll.lll peer kk.kkk.kkk.kkk \ ikesa auth hmac-sha2-256 enc aes-256 group modp3072 \ childsa auth hmac-sha2-256 enc aes-256 group modp3072 \ srcid lll.ll.lll.lll dstid kk.kkk.kkk.kkk \ lifetime 3h bytes 20G \ psk xxxxxxxxxxxxxxxx \ tag "keysim" include "/etc/iked.users" -----