We use strongSwan, in particular the IKEv2 EAP-MD5 with pubkey authentication mechanism; no more susceptable to dictionary attacks than EAP-MSCHAPv2 anyway.
N.B. we would use EAP-TTLS, but the strongSwan Android client does not support it.
Start off by creating an account for yourself by editing:
/var/lib/strongswan/ipsec.secrets.inc
Once done, type
sudo ipsec rereadsecrets
Assuming you are using strongSwan on Android:
marmot.wormnet.eu
You should be able to tap the newly created profile and just connect; all your traffic should flow via marmot
now.
If you are unable to use the Android strongSwan client, or do not have an IKEv2 client, then you probably need to add an IKEv1 mechanism to the configuration. Do ask (Alex) for help if you cannot be bothered to do this yourself.
For debugging, you may find the log /var/log/daemon.log
helpful to tail -F
.