I've used DuoSecurity's product plus local authentication successfully for a remote access SSL VPN coming into an ASA.
Is there a reason why you're using the older IPsec client (or are you using AnyConnect with IPsec IKE v2)? I ask because the old client is deprecated and no longer supported. It has issues working with Windows 8 and later OSes.
That aside, as with any problem, start by breaking it into small pieces. I'd recommend starting with local authentication only. Get that working. Once it is then add in the two factor bit. I followed the Duo instructions and found them to be pretty spot on in my case.