Can Generated OpenVPN Keys Be Used on Multiple Clients?

IPSec works differently than OpenVPN, I think you will not be able to do exactly the same with SWAN than you do with OpenVPN. There are OpenVPN clients for phones, but yes many of them only include ipsec clients.

What you probably want to do is to setup a tunnel with OpenSWAN and then use that tunneled connection to start a PPP connection/L2TP over it. That will be the part responsible to providing the 'client ip' to the road warriors. This is an article with some examples. The OpenSWAN site also has some quick info on it.

Remember also that IPSec in general is horrible dealing with NATs and that may increase the complexity of the setup.

To respond to each of your points:

1 - You are correct in analogizing the password protection of OpenVPN keys to password protection of SSH keys.

2 - Without using any additional authentication method OpenVPN relies only on the verification of the client certificate by the server (and ideally verification of the server certificate by the client) for authentication of the client. This makes revoking an individual client's access a matter of either adding the client's certificate to a certificate revocation list (CRL) (supported by versions 1.5 and up of OpenVPN) or removing the key material from the client (or switching up the certificates on all your other clients). If you're not using an additional authentication method you need to have a CRL to allow for client access revocation.

Keep in mind that password protecting the keys doesn't help you at all re: additional authentication. That password just "unlocks" the key on the client device-- it doesn't alleviate the problem of additional authentication of the user on the client to the server computer (and the access revocation problem).

3 - You should generate the private / public key pairs on the clients themselves, as opposed to transmitting them over the wire. You can generate the certificate request on the client, send the public key (in a Certificate Signing Request) up to your CA for signing, and install the signed certificate on the client. This could all be scripted, and I'm sure somebody has already done it (and I'd hope that the commercially licensed OpenVPN product probably has some of that functionality built-in).

I find this My Certificate Wizard project that was written just for this purpose, but I'd go for scripting the entire thing on the client using the OpenSSL command-line tools in an attempt to make the entire process mostly invisible to the user.