I've got a working IKEv2 vpn with RSA authentication on my new Mikrotik after following their wiki guide

It wasn't documented as part of the guide but I had some fun figuring out that I needed to add a couple of Filter rules to enable this to work. Namely:

1 ;;; allow L2TP VPN (500,4500,1701/udp)
chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=500,1701,4500 log=yes log-prefix="vpn"

2 ;;; allow L2TP VPN (ipsec-esp)
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1 log=yes log-prefix="vpn"

Windows 10 clients are connecting and working fine with Certificate Authentication so I've assumed VPN is setup correctly.

Not so with my iPhone (IOS 11).

Filter log indicates:

jul/26 07:00:18 ipsec,info new ike2 SA (R): public.ip.address[500]-my.iphone.public.address[44774] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d
jul/26 07:00:18 ipsec,error EAP not configured
jul/26 07:00:18 ipsec,info killing ike2 SA: public.ip.address[4500]-my.iphone.public.address[40931] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d

But I'm not using EAP - at least I don't think I am. I found some info online about older IOS versions having a bug requiring EAP with certs. My iPhone VPN connection specifies Certificate Authentication. I have both Root cert and Client certs loaded, verified and trusted.

Has anyone encountered this? I'll play some more tonight but fallback plan may be to try a L2TP/IpSec connection instead.