so finally had time to follow the guild https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html to move my legacy tunnel to the new connections
was able to get my windows11 up and running in no time
however, there is a step missing in the doc causing the native Android VPN client to not working (which is why the guide only mention about using StrongSwan on Android? ::))
no error log on the OpnSense side, on Android it terminated connection with error
setting state=FAILED, reason=The remote/server failed to provide a end certificate
so obvious just need to fix this by enable Send certificate to always in the general setting, however this step is missing
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#vpn-ipsec-connections
I don't see how I can update the doc, so if someone can help updating this section to help future user it will be great