Comment 44 for bug 1587886

I can confirm NetworkManager-l2tp is working fine with the following yakkety-proposed packages:
  strongswan_5.3.5-1ubuntu4.1_all
  strongswan-charon_5.3.5-1ubuntu4.1_amd64
  strongswan-libcharon_5.3.5-1ubuntu4.1_amd64
  strongswan-starter_5.3.5-1ubuntu4.1_amd64
  libstrongswan_5.3.5-1ubuntu4.1_amd64
  libstrongswan-standard-plugins_5.3.5-1ubuntu4.1_amd64

Only strongswan AppArmor related messages I see are just status messages which are fine :

Feb 18 11:50:32 ubuntu audit[506]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/ipsec/charon" pid=506 comm="apparmor_parser"
Feb 18 11:50:32 ubuntu audit[507]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/ipsec/stroke" pid=507 comm="apparmor_parser"

Having said that, on Yakkety Yak with the stock strongswan_5.3.5-1ubuntu4 packages, (unlike Xenial Xerus) I'm able to establish a VPN connection with NetworkManager-l2tp even though I see lots of the following AppArmor denied messages :

Feb 18 11:43:33 ubuntu audit[4002]: AVC apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4002 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

But I think strongswan 5.3.5-1ubuntu4.1 is definitely worthwhile to get rid of those AppArmor denied messages.