The "generate ipsec profile ios-remote-access" generates the incorrect profile contents when used with the "authentication client-mode x509" mode introduced in T5870.
For example the profile includes:
<!-- The client uses EAP to authenticate --> <key>ExtendedAuthEnabled</key> <integer>1</integer>
Which should be omitted (or set to zero) when using the x509 client mode, which does not perform EAP authentication.
Additionally, newer versions of iOS and macOS require the "EnablePFS" option to be set in order to properly re-key when PFS is enabled in VyOS on the IKE group. This should also be fixed.