L2TP over IPSec on Debian 10

My Debian 10 box has a Wifi interface, wlx08beac0a6c1d running a WEP AP for old hardware that doens't wupport WPA. My main network is 192.168.1.0/24 and this interface is configured to be 192.168.2.1. For starters that interface is restricted to one MAC and it only allows DHCP on that network

iptables -A INPUT -i wlx08beac0a6c1d -m mac ! --mac-source 00:30:65:05:9F:4D -j DROP
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -j DROP

(The MAC check is also in hostapd.conf -- where of course it is just as ineffective security measure (although it's probably fairly effective here in Shropshire).) This device (claims to) support L2TP over IPSec. I imagine that by opening another port for this I can get this old machine to join the rest of my network through a tunnel to that port and that once connected the old machine will appear as if it is on my network. Is this so? Or have I got the wrong end of the stick? Is this now secure on the WEP network? It looks like the packages needed are strongswan and xl2tpd? It looks like IPSec is going to encrypt traffic over the WEP network, and that I'll need to open some more ports to allow the encryption to be negotiated and started? It then looks like L2TP will establish a connection a PPP connection to another port on Debia and route all traffic through it? So the old machine will get a second IP address for this PPP connection? And how will it appear in Debian (and be routable between the rest of my network and the Internet)? So: first is strongswan...

# apt-get install strongswan

And now I really don't understand what to do. I've done what it says here https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2 and ended up with this ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn wep-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=192.168.2.31
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.2.0/24
    rightdns=192.168.2.31
    rightsendcert=never
    eap_identity=%identity

I think that _left_ is correct if you interpret it as being _this_ machine, but not sure about _right_ which presumably is some _other_ thing? Then it goes on to do something with something called _UFW_ but I am using iptables. I think I need

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 4500 -j ACCEPT

to allow connections to IPsec. Then the next part of the trick is xl2tpd...

# apt-get install xl2tpd

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 192.168.3.100-192.168.3.254
local ip = 192.168.3.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes

/etc/ppp/xl2tpd-options

require-mschap-v2
ms-dns 192.168.3.1

Add to /etc/ppp/chap-secrets And

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 1701 -j ACCEPT

Obviously, it doesn't work.