Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user’s password field instead of a second authentication step, but it definitely can be a tool to increase security.