To use the Symantec server (or other token-based server) for VIA auth, you need to make sure you have configured only IKE v1. IKE v2's authentication mehods (X.509 cert, EAP-TLS, or EAP-PEAP) do not support the usage of a token server; which usually support PAP or MSCHAP in this function.
Can you confirm your VIA authentication profiles are setup to IKE v1 and not IKE v2?
To answer your first question, to my knowledge there is not any way to enter additional fields for passwords/tokens or to concatenate a passord and security code as you suggest (unless the Symantec server is able to parse out the two somehow and to understand that the last 6 digitys are the code and rest is the password; for example).
Alternatively, I have setup some customers to use certificate-based auth then username/token as a way to do two-factor auth.....also through IKE v1.