One of these days I would like to setup and mess around with an opensource IPSEC server and connect our iOS devices to it. One thing our F5 can do is NT authentication and then pass those credentials on to our Qlikview Server, I wonder if StrongSwan can do that?
For a Cisco IPSec Gateway on Linux, I recommend you use Open source package StrongSwan for your iOS VPN on Demand
Use –enable-cisco-quirks parameter to build StrongSwan to make it compatible with Cisco IPSEC. It is a stable certification based, IPsec Gateway on linux that is compatible with iOS VPN on Demand requirements.
Check following link for setup iOS on StrongSwan:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
Authentication uses XAUTH and certificates (authby=xauthrsasig).The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.
Michael Ellerbeck 
I happen to have successfully built a StrongSwan based solution for VPN on Demand. See http://jelockwood.blogspot.co.uk/2014/03/how-to-do-vpn-on-demand-for-ios-at-zero.html
As you will see it is not as easy you might think if you want to avoid having to constantly re-enter the users password. This is because Apple don’t let you save the password in a mobileconfig profile.
It works fine for iOS 7 or later, I did not bother trying with older versions.
For my on demand rule I use URLStringProbe to test I can access a URL on my VPN server and if successfull I then I have an action of Connect. This means as long as the iOS device can access the Internet and as long as my VPN server is working the iOS device will then do an automatic VPN connection via which all traffic is then sent.
I’ve put up an article on this topic that I hope will help others:
see Setting Up an iOS 7 On-Demand VPN:
http://www.derman.com/blogs/Setting-Up-iOS-OnDemand-VPN