No idea for #1, but regarding multifactor, I've used Strongswan with Feitian PKI smartcards. Basically, I have one card that I set up as a CA and use to sign CSRs for "user" smartcards as well as for the VPN servers. You need to have your card and PIN to connect. The private keys are stored on the cards - no PSKs. This is something cool to do if you are cheap. You may be able to do this with Yubikeys, though I haven't tried this.
# Edit etc/vpn_server.conf to use your server's IP address
bash -x <(cat README.md | grep '`' | tr -d '`') # You really should generate the VPN server's key & request on the VPN server, but this is just to get something working
# Move vpn_server_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, certs/phone.pem to your VPN server's /etc/ipsec.d/
# Edit your VPN server's /etc/ipsec.conf so that leftcert=vpn_server.crt and rightcert=phone.crt
# To set up your Android phone, just import the phone-and-ca.pfx file
# To set up your Linux client (Ubuntu 16.04 in my case), move phone_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, and certs/phone.crt to /etc/ipsec.d
# Edit your client's /etc/ipsec.conf so that leftcert=phone.crt and rightcert=vpn_server.crt
# To start server: sudo ipsec start
# How to start the Android client should be obvious.
# To start linux client: sudo ipsec start; sudo ipsec up connection_name
https://wiki.strongswan.org/projects/strongswan/wiki/SmartCa... https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card
edit:
Some quick and dirty instructions to generate keys/certs that you can use with a Linux or Android client:
git clone https://github.com/ramann/smartcard-pki
cd smartcard-pki
git checkout vpn-phone
# Edit etc/vpn_server.conf to use your server's IP address
bash -x <(cat README.md | grep '`' | tr -d '`') # You really should generate the VPN server's key & request on the VPN server, but this is just to get something working
# Move vpn_server_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, certs/phone.pem to your VPN server's /etc/ipsec.d/
# Edit your VPN server's /etc/ipsec.conf so that leftcert=vpn_server.crt and rightcert=phone.crt
# To set up your Android phone, just import the phone-and-ca.pfx file
# To set up your Linux client (Ubuntu 16.04 in my case), move phone_key.pem, ca/signing-ca.crt, certs/vpn_server.crt, and certs/phone.crt to /etc/ipsec.d
# Edit your client's /etc/ipsec.conf so that leftcert=phone.crt and rightcert=vpn_server.crt
# To start server: sudo ipsec start
# How to start the Android client should be obvious.
# To start linux client: sudo ipsec start; sudo ipsec up connection_name