[gmac]

I have a simple bash script that does something similar, including the Apple profile, and also gets you a Let's Encrypt server cert that auto-renews.

https://github.com/jawj/IKEv2-setup

[dguido]

Bash is not idempotent, using a public CA has downsides, and MSCHAP has known weaknesses that make the crypto easier to bruteforce.

[gmac]

Right. On the other hand, a Bash script has a low barrier to entry, it's handy not to have to install certificates on the client, and the highest possible security is not always top priority (if, for example, you're just trying to evade your government's illiberal bulk domain/IP address collection policies). Swings and roundabouts, I'd say.