Ugh! I may have stumbled across an answer…
On the Advanced page change the Grouptype from MOD-1024 to MOD-2048.
I see the following in the IPFire messages log (/var/log/messages):
Jul 25 16:25:20 ipfire charon: 06[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
Jul 25 16:25:20 ipfire charon: 06[CFG] configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_1024
Jul 25 16:25:20 ipfire charon: 06[IKE] remote host is behind NAT
Jul 25 16:25:20 ipfire charon: 06[IKE] received proposals unacceptable
MOD-2048 is what my iPhoneSE sends (see 1st line). And the IPFire box was expecting MODP_1024. I am wild guessing the iPhoneSE doesn’t accept MODP_1024.
I just started testing but all looks good for the moment…
EDIT: FYI - this is testing a PSK and not a certificate.