BlackBerry OS 10¶

Blackberry 10 supports Cisco IKEv1 with XAUTH-PSK and XAUTH-PKI and IKEv2 with PSK, PKI, EAP-TLS and EAP-MSCHAPv2 authentication. You should choose "Generic IKEv2 VPN Server" as a gateway type for IKEv2.
Both server and client could be authenticated by IPv4 address, FQDN, Email in certificate, General or Distinguished name.

For BlackBerry OS 10 to accept a server certificate, it has to contain the serverAuth flag in the EKU (Extended Key Usage) field.
A client certificate needs to have clientAuth set in the EKU field.

Works fine with the following config:

conn %default
    # left - local (server) side
    left=%any
    leftauth=pubkey
    leftcert=your_cert.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    # right - remote (client) side
    right=%any
    rightauth=pubkey
    rightsourceip=192.168.103.0/24
    rightdns=8.8.8.8

conn ikev2-pubkey
    keyexchange=ikev2
    auto=add