Why does Windows no longer accept the certificate after changing the encryption level for a strongSwan VPN setup?

The following is a stable and working VPN connection between my Windows client and my strongSwan/Linux.

On Windows, using get-VpnConnection

Name                  : myvpn
ServerAddress         : 172.16.2.3
AllUserConnection     : False
Guid                  : {CAFEBABE-DEAD-BEEF-FADE-123456789ABC}
TunnelType            : Ikev2
AuthenticationMethod  : {MachineCertificate}
EncryptionLevel       : Required
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : False
SplitTunneling        : False
DnsSuffix             :
IdleDisconnectSeconds : 0

The VPN is configured as such:

Set-VpnConnectionIPsecConfiguration `
    -ConnectionName "myvpn" `
    -AuthenticationTransformConstants SHA1 `
    -CipherTransformConstants AES256 `
    -EncryptionMethod AES256 `
    -IntegrityCheckMethod SHA1 `
    -DHGroup Group2 `
    -PfsGroup None `
    -Force

On Linux, using strongSwan’s, conf file:

conn myvpn
…
leftauth=pubkey
rightauth=pubkey
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
auto=add

I have generated, and installed, a self signed ca and p12 on my Windows computer.

ca

- Signature algorithm : sha384RSA
- Signature hash algorithm : sha384
- Public key : RSA (4096 Bits)
- Public key parameters : 05 00
- Subject : devel,MANAGER,NETWORK
- Issuer : devel,MANAGER,NETWORK
- Basic Constraints : Type=CA, Path Length Constraint=None
- Certificate Signing, Off-line CRL Signing, CRL Signing (06)

p12

- Signature algorithm : sha256RSA
- Signature hash algorithm : sha256
- Subject : nathan,DVL-00-000-605,MANAGER,NETWORK
- Public key : RSA (2048 Bits)
- Public key parameters : 05 00
- Subject : nathan,DVL-00-000-605,MANAGER,NETWORK
- Issuer : devel,MANAGER,NETWORK
- You have a private key that correspond to this certificate

Which Windows and strongSwan happily accepts and the VPN connects.

The problem is I need to upgrade the encryption scheme for my VPN.
I’ve been instructed these settings at least:

esp=aes256-sha256-noesn!
ike=aes256-sha256-prfsha256-ecp256!

It seems to me that the equivalent in Windows terms would be:

PS C:Usersnrago> Set-VpnConnectionIPsecConfiguration `
    -ConnectionName "myvpn" `
    -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES256 `
    -DHGroup ECP256 `
    -EncryptionMethod AES256 `
    -IntegrityCheckMethod SHA256 `
    -PfsGroup ECP256 `
    -Force

The Windows client and strongSwan seems to agree on the new encryption standard:

Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received MS-Negotiation Discovery Capable vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] received Vid-Initial-Contact vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] 172.16.2.2 is initiating an IKE_SA 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[IKE] sending cert request for "C=NETWORK, O=MANAGER, CN=devel" 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received MS-Negotiation Discovery Capable vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] received Vid-Initial-Contact vendor ID 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] 172.16.2.2 is initiating an IKE_SA 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[IKE] sending cert request for "C=NETWORK, O=MANAGER, CN=devel" 
Mar 19 11:55:58.+0100 DVL-00-000-605 ipsec: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]

But unlike before, with the lower encryption level, Windows no longer find my certificate suitable. The GUI returns:

“IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.”

Why does Windows no longer accept the certificate after changing the encryption level? What step can I add, or change, to allow Windows to connect to the server?