IKEv2 issues when using 'Computer Certificates' for authentication - Help Please!!!!

Hi,

Spent a while trying to troubleshoot an issue with Always on VPN when using computer certificates for authentication with IKEv2. 

On the client end we receive the error "IKE failed to find valid machine certificate.Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

On the server in the event log the error "CoId={9B036532-06D1-2BC2-F7BF-843F27270EBD}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: XXXX.LOCAL.DOMAIN.UK. IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

Current Setup of Server:

Windows 2012 R2:

- RRAS configured with only IKE2 Machine Authentication

- All ports on RRAS disabled except PPPOE and IKEv2

- No NPS configuration changed as I believe the RAS server checks certificates rather than using NPS.

- Configured with a local certificate with the Subject Name CN set as as vpn.domain.uk.  EKU set as Server and IKE Authentication.  No other local certificate installed.  Certificate is trusted by Enterprise CA Root and in store.  Certificate is RSA 2048 SHA256

- 1 Ethernet adapter with private IP assigned.

- External Firewall that is Network Translating external IP to private IP of RRAS server

- Only port 500 UDP and 4500 UDP is being seen on the firewall and therefore only ports that have NAT rules in place

Windows 10 1709:

- Configured VPN host name set to vpn.domain.uk

- Configured with a local certificate.  EKU set as Client Authentication.  No other certificate installed.  Certificate is trusted by the same Enterprise CA Root the server certificate has and in store.  Certificate is RSA 2048 SHA256.

The client certificate is OK, because when laptop is plugged into corporate network, 802.1x authentication uses the same certificate as would be for VPN and works.

Anybody have any idea why the client is not working.  Doesn't matter what certificate I mess around with on the server, DNS, CN names etc using IP hostname results in the same error "Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

I know I am missing something.

I have had it working in the past, but when I started to remove what I thought was useless Trusted Root certificates relating to DirectAccess is when it stopped working.  Direct Access was used previously on this server.

We have since installed a new Windows 2012 R2 server and just installed the VPN and not DirectAccess, but receive the same errors.

Also is there any useful info in the logs that I can check to actually see what certificate is being sent to the client, as it obviously isn't the vpn.domain.uk?

Thanks, any help appreciated.