It's not easy being queen (of the numbats)! Here's how to get it working. First, get your IKE VPN stuff ready, like server certificate, client user/pass or certificate/key, server IP, etc.

Install all the needed packages. You'll notice that strongswan-plugin-eap-mschapv2 is no longer a package, but that's ok:

sudo apt install network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins

Set up the VPN with the appropriate details, and make sure you choose "Request an inner IP address" otherwise you'll probably get an error like received FAILED_CP_REQUIRED notify, no CHILD_SA built; failed to establish CHILD_SA, keeping IKE_SA


It may fail to connect and with get errors like this when you check the logs via journalctl -u NetworkManager :

charon-nm[45620]: 08[IKE] server requested EAP_IDENTITY (id 0x00), sending 'wbradley'
charon-nm[45620]: 08[IKE] EAP_IDENTITY not supported, sending EAP_NAK
charon-nm[45620]: 08[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
charon-nm[45620]: 08[NET] sending packet: from[46575] to[4500] (67 bytes)
charon-nm[45620]: 01[NET] received packet: from[4500] to[46575] (65 bytes)
charon-nm[45620]: 01[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]

So here's the kicker, the GUI doesn't let you choose MSCHAP so you need to edit the file directly.

# Find the config file for your VPN:
sudo nmcli -f NAME,DEVICE,FILENAME connection show

# Edit it:
sudo vim /run/NetworkManager/system-connections/netplan-some-filename-here.nmconnection

And change method=eap to method=eap-mschapv2

Now with any luck, connecting works just fine.