Yes, in the context of strongSwan, or more generally IKEv2, the EAP messages are transmitted encrypted in the IKE_AUTH exchanges. Man-in-the-middle attacks are averted by first authenticating the server with certificates using standard IKEv2 authentication. The security considerations in the IKEv2 RFC actually say:
An implementation using EAP MUST also use a public-key-based
authentication of the server to the client before the EAP
authentication begins...
That's the case unless an EAP method with mutual authentication (e.g. EAP-TLS, but not EAP-MD5) is used and the client supports EAP-only authentication.
If the EAP authentication is not terminated on the VPN server but e.g. a separate RADIUS server, one has to consider that the communication between these two is generally not encrypted. To not leak any information there it is also possible to use EAP-MD5 within other EAP methods (e.g. EAP-TTLS or EAP-PEAP), which provide a TLS tunnel within which the EAP-MD5 messages are transported to the authentication server. This also allows the client to authenticate that server, which is not possible with EAP-MD5 alone, as it does not provide mutual authentication. Combining such tunneling EAP methods with simple user authentication is also quite common for the WiFi use case (e.g. EAP-PEAP/EAP-MSCHAPv2).