|Android 5||SHA256-128, SHA1-96, MD5-96||AES256, AES128, 3DES, DES|
|iOS 9||SHA1-96, MD5-96||AES256, AES128, 3DES|
|Mac OS X 10.10||SHA1-96, MD5-96||AES256, AES128, 3DES|
The working configurations I found were:
and I settled on the last combo as AES256 is the strongest CBC from that list.
PS for DH key exchange, only so-called Group 2 1024modp was in the list on all three devices, so there was no other choice available, and no further testing was done.
PS2 I tried SHA256 authentication with the Android device, but no successful connection could be set up with the VPN gateway. It looks like there was some kind of incompatibility between the SHA256 implementations on both devices. As the Apple devices didn't announce support for SHA256, there was no reason to debug that in this environment.
PS3 Some of the acronyms encountered during these tests: IKE, HMAC, PRF, CBC