Set up VPN client on linux for ipsec ikev2-eap firewall

Question

--edit--

Could set it up with help of the comment from ecdsa:

Ended up using strongswan network manager disabling eap-peap in the strongswan.conf following these instructions.

--edit--

Connecting to the VPN of our company works fine for windows users, which use the client program text.

The hardware device is a Zyxel USG 200 text.

I tried different network managers and approaches to connect from a linux machine, but no success so far. Here is the log of the strongswan charon-cmd output. The certificates are imported and trusted locally on the remote computer.

sudo charon-cmd --host 1.23.456.78  --ike-proposal aes128-sha256-modp1024 --esp-proposal aes128-sha256  --profile ikev2-eap --identity ssl_vpn_user  --cert ~/Downloads/RemoteAccess_1.23.456.78.crt --cert ~/Downloads/usg_flex_200_D8ECE5A68304.crt

00[LIB] providers loaded by OpenSSL: legacy default
00[LIB] created TUN device: ipsec0
00[LIB] dropped capabilities, running as uid 0, gid 0
00[DMN] Starting charon-cmd IKE client (strongSwan 5.9.5, Linux 5.15.0-76-generic, x86_64)
00[LIB] loaded plugins: charon-cmd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg kernel-libipsec kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic
00[JOB] spawning 16 worker threads
09[KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out
09[IKE] installed bypass policy for 169.254.0.0/16
09[IKE] installed bypass policy for 172.17.0.0/16
09[IKE] installed bypass policy for 172.18.0.0/16
09[IKE] installed bypass policy for 172.19.0.0/16
09[IKE] installed bypass policy for 192.168.37.0/24
09[IKE] installed bypass policy for ::1/128
09[KNL] error installing route with policy fe80::/64 === fe80::/64 out
09[IKE] installed bypass policy for fe80::/64
09[IKE] interface change for bypass policy for fe80::/64 (from ipsec0 to wlp0s20f3)
09[KNL] error installing route with policy fe80::/64 === fe80::/64 out
11[IKE] initiating IKE_SA cmd[1] to 1.23.456.78
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11[NET] sending packet: from 192.168.37.82[55358] to 1.23.456.78[4500] (336 bytes)
12[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[55358] (741 bytes)
12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V V ]
12[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
12[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
12[ENC] received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:eb:6e:39:e0:1c:82:60:34:49:e1:58:21:00:53:c8:28:02:b5:23:f1:eb:50:a0:ae:fb:55:e8:d6:23:c1:2e:81:34:40:eb:ff:e2:5f:1e:b4:3f:c1:c4:e1:50:68:45:e8:ea:be:21:b4:0b:40:1a:36:9b:33:9a:a0:38:ac:81:52:52:c7:6a:8d:97:2c:a2:1f:3e:8d:92:06:c5:e2:0b:c3:74:8a:62:48:51:44:eb:19:3f:a2:85:33:d5:9a:bb:50:e5:7d:21:d6:8a:9e:4d:3c:72:81:1b:95:fb:6a:24:5d
12[ENC] received unknown vendor ID: 24:ae:2f:6d:9e:a6:1b:d4:23:5e:e3:f3:c2:ee:65:6f:42:65:10:20:0b:e3:d5:6b:f7:34:52:7c:29:d6:8f:8f:d3:d9:e4:42:88:87:bf:16:75:e8:3b:b7:48:13:fb:bc:2c:a1:d5:88:4e:dd:96:e7:3e:78:97:b5:76:22:a2:cb
12[ENC] received unknown vendor ID: 8a:3b:5b:d4:b8:94:b2:f3:37:0c:1e:65:67:2e:ec:44
12[ENC] received unknown vendor ID: b6:c9:8c:ca:29:0a:eb:be:37:f1:9f:31:12:d2:d7:cb
12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
12[IKE] local host is behind NAT, sending keep alives
12[IKE] received cert request for "CN=usg_flex_200_D8ECE5A68304"
12[IKE] received cert request for "CN=1.23.456.78"
12[IKE] received 5 cert requests for an unknown ca
12[IKE] sending cert request for "CN=usg_flex_200_D8ECE5A68304"
12[IKE] sending cert request for "CN=1.23.456.78"
12[IKE] establishing CHILD_SA cmd{1}
12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
12[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (320 bytes)
13[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[53305] (1232 bytes)
13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
13[IKE] received end entity cert "CN=1.23.456.78"
13[CFG]   using trusted certificate "CN=1.23.456.78"
13[IKE] authentication of '1.23.456.78' with RSA signature successful
13[IKE] server requested EAP_IDENTITY (id 0x64), sending 'ssl_vpn_user'
13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
13[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (96 bytes)
14[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[53305] (80 bytes)
14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
14[IKE] server requested EAP_PEAP authentication (id 0x65)
14[TLS] EAP_PEAP version is v0
14[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
14[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (288 bytes)
09[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[53305] (1088 bytes)
09[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
09[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
09[TLS] server certificate does not match to '1.23.456.78'
09[TLS] sending fatal TLS alert 'access denied'
09[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
09[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (96 bytes)
16[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[53305] (416 bytes)
16[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
16[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
16[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (80 bytes)
11[NET] received packet: from 1.23.456.78[4500] to 192.168.37.82[53305] (80 bytes)
11[ENC] parsed IKE_AUTH response 5 [ EAP/FAIL ]
11[IKE] received EAP_FAILURE, EAP authentication failed
11[ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED) ]
11[NET] sending packet: from 192.168.37.82[53305] to 1.23.456.78[4500] (80 bytes)
00[IKE] uninstalling bypass policy for 169.254.0.0/16
00[IKE] uninstalling bypass policy for 172.17.0.0/16
00[IKE] uninstalling bypass policy for 172.18.0.0/16
00[IKE] uninstalling bypass policy for 172.19.0.0/16
00[IKE] uninstalling bypass policy for 192.168.37.0/24
00[IKE] uninstalling bypass policy for ::1/128
00[IKE] uninstalling bypass policy for fe80::/64

The working configuration file (.sswan) for the android strongswan client looks like this:

{
    "uuid": "C045...BFA",
    "name": "RemoteAccess_1.23.456.78",
    "type": "ikev2-eap",
    "remote": {
        "addr": "1.23.456.78",
        "id": "1.23.456.78",
        "cert": "MIIDWDCCA...nh08r1KVxc=
"
    },
    "split-tunneling": {
        "subnets": "0.0.0.0/0"
    },
    "ike-proposal": "aes128-sha256-modp1024",
    "esp-proposal": "aes128-sha256"
}

The linux system is Ubuntu 20.04 LTS. Thanks for any inputs!