It's not easy being queen (of the numbats)! Here's how to get it working. First, get your IKE VPN stuff ready, like server certificate, client user/pass or certificate/key, server IP, etc.
Install all the needed packages. You'll notice that strongswan-plugin-eap-mschapv2 is no longer a package, but that's ok:
sudo apt install network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins libcharon-extra-plugins
Set up the VPN with the appropriate details, and make sure you choose "Request an inner IP address" otherwise you'll probably get an error like received FAILED_CP_REQUIRED notify, no CHILD_SA built; failed to establish CHILD_SA, keeping IKE_SA
It may fail to connect and with get errors like this when you check the logs via journalctl -u NetworkManager
:
charon-nm[45620]: 08[IKE] server requested EAP_IDENTITY (id 0x00), sending 'wbradley'
charon-nm[45620]: 08[IKE] EAP_IDENTITY not supported, sending EAP_NAK
charon-nm[45620]: 08[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
charon-nm[45620]: 08[NET] sending packet: from 192.168.10.10[46575] to 1.2.3.4[4500] (67 bytes)
charon-nm[45620]: 01[NET] received packet: from 1.2.3.4[4500] to 192.168.10.10[46575] (65 bytes)
charon-nm[45620]: 01[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]
So here's the kicker, the GUI doesn't let you choose MSCHAP so you need to edit the file directly.
# Find the config file for your VPN:
sudo nmcli -f NAME,DEVICE,FILENAME connection show
# Edit it:
sudo vim /run/NetworkManager/system-connections/netplan-some-filename-here.nmconnection
And change method=eap
to method=eap-mschapv2
Now with any luck, connecting works just fine.