As the name implies, the VPN type IKEv2/IPSec RSA [sic, it should actually be "IPsec" not "IPSec"] is for client authentication with an RSA certificate/key. The name was probably chosen for consistency with the existing IKEv1-based VPN types (e.g. "L2TP/IPSec RSA" or "IPSec Xauth RSA"), it might also work with ECDSA certificates/keys not only RSA, but I did not test that.
There were two other IKEv2 VPN types added in Android 11/R's built-in VPN client:
IKEv2/IPSec PSK for authentication of both client and server with a pre-shared key (PSK), which is not an ideal choice for remote access connections as anybody who knows the PSK can impersonate the server (an active attacker can retrieve the PSK hash and attack it via brute-force/dictionary attack).
IKEv2/IPSec MSCHAPv2 for client authentication with username/password using EAP-MSCHAPv2. The server is theoretically authenticated with a certificate first so the password hash is only sent to a trusted peer. However, this verification is apparently not mandatory in this client and disabled by default (don't verify server), which makes this VPN type vulnerable to active attackers unless the user makes sure to install and select the correct CA/server certificate.
For an IKEv2/IPsec VPN client with more options (e.g. split-tunneling, app filtering), you could use the open-source strongSwan VPN client app, which also works on older Android versions. (Disclaimer: I'm a developer for the strongSwan project.)