Having trouble with IPSEC negotiating BlackBerry 10 OS smartphone with OBSD 6.1 amd64

[Denis]

Hi,

Have fully working setup OpenIKEd + Win7x64 using IKEv2 and MSCHAP-v2 but 
BlackBerry device stop negotiating and fail while connecting.
Exact BlackBerry SW version is: 10.3.2.2836.

Cert and 2048bit key in *.P12 form transferred to BlackBerry device.

10.0.20.0/24 is local network
10.0.10.0/24 is IPsec network
DNS server is 10.0.20.1

/etc/iked.conf is:

ikev2 "winauth" passive esp \
         from 10.0.20.0/24 to 10.0.10.0/24 \
         local IP_of_server peer any \
         srcid myserver.domain \
         eap "mschap-v2" \
         config address 10.0.10.10 \
         config netmask 255.255.255.0 \
         config name-server 10.0.20.1 \
#       ikesa auth hmac-sha1 enc 3des group modp2048 \
#       childsa auth hmac-sha1 enc aes-256 group modp2048 \
         tag "$name-$id"

OBSD has working PF setup to allow IPSEC traffic {isakmp, ipsec-nat-t} and both 
protos {ah, esp}.

Trying to make the same setup with BlackBerry 10.3.2.2836 OS using the same  
/etc/iked.conf.

In BlackBerry phone tried various profiles (general profile is listed below):
---------------------------------------
Server address: IP_of_server
Gateway type: Generic IKEv2 VPN Server (tried Microsoft IKEv2 VPN 
Server, but unsuccessful too)
Auth Type: EAP-MSCHAPv2
Authentication ID Type: FQDN
Auth ID: myserver.domain
MSCHAPv2 EAP Identity: username
MSCHAPv2 EAP Identity: username
MSCHAPv2 Password: userpass
Gateway Auth Type: PKI
Gateway Auth ID Type: FQDN
Gateway Auth ID: myserver.domain
Allow Untrusted Cert: Prompt
Gateway CA Cert: CAmyserver.domain.name
Perfect Forward Secrecy: set_to_YES
Auto IP: set_to_YES
Auto DNS: set_to_YES
Auto Determine Algorithm: set_to_YES

IKE lifetime in Sec.: 86400
IPSec Lifetime: 10800
NAT Keep Alive: 30
DPD Frequency: 240

Use Proxy: set_to_NO
-----------------------------

#iked -dvv negotiating with BlackBerry phone: 

...
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 272
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 240
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 240/240 padding 15
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 
0x00 length 19
ikev2_pld_id: id FQDN/myserver.domain length 15
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical 
0x00 length 5
ikev2_pld_certreq: type X509_CERT signatures length 0
ikev2_pld_certreq: invalid certificate request
ikev2_resp_recv: failed to parse message

The same connection works fine between Win7 and iked. Log of iked is below:
...
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 
length 28
ikev2_pld_auth: method SHARED_KEY_MIC length 20
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 
length 32
ikev2_pld_cp: type REPLY length 24
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP 
spisize 4 xforms 3 spi 0x84ea51d8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535
ikev2_pld_ts: start 10.0.10.0 end 10.0.10.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 
endport 65535
ikev2_pld_ts: start 10.0.20.0 end 10.0.20.255
ikev2_msg_send: IKE_AUTH from IP_of_server:4500 to IP_of_client:4500, 
212 bytes, NAT-T
pfkey_sa_add: update spi 0x84ea51d8
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x84ea51d8
pfkey_sa_add: add spi 0xcfea0559
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xcfea0559
ikev2_childsa_enable: loaded flow 0x20527e400
ikev2_childsa_enable: loaded flow 0x204a56800
sa_state: EAP_VALID -> ESTABLISHED from IP_of_client:4500 to 
IP_of_server:4500 policy 'winauth'

Or what phone model (Brand) I can use to have IPSEC working on the road?

Thanks.