So, until now, I used L2TP/IPSec, with RADIUS authentication. It worked perfectly, except there was this tiny little problem with multiple clients behind the same NAT...
With new ROS 6.38 I tried to set up IPSec with IKEv2 and also RADIUS authentication. Now I can't connect from my Android 6.0.1 at all, seems like IKEv2 is not supported on that relatively new platform... And when I try to connect from Windows 10, the only thing that looks like a problem in ROS log, is this line: "bad EAP size". Any idea what this means? Has anyone successfully set up EAP RADIUS + IKEv2 on the new ROS? Perhaps post your relevant config dump?