Earned. Everywhere in the configs, I specified the path to the certificates starting from / var. Trial and error method. It's hard to say exactly what was wrong.
Still fell - Group Policy Mapping Error. Also what the heck is this.

I have been fighting with this garbage for a long time, but so far I have not been able to overcome it. It's a shame that - once it worked for me, not with winX though, but with win7 - and then it stopped and I can't understand anything why. For now, we can assume that IPSec Windows is a Mikrotik, for example (I don’t know what you have on the other side) on IKEv2 simply does not work.
Artem , "unacceptable credentials" - this is reported by Windows. In fact, the data there is acceptable, the problem occurs on the second side, but why is still unclear. Not everything that quacks like a duck and swims like a duck is a duck...

Perhaps it's the capital letter in the certificate name. Here in the section where the client certificate is created, there is even an insert about it . I myself recently encountered this, puzzled for 3 days why this is so. But it turned out that I made one certificate in small letters, and the second in capital letters (I liked it that way). And I was looking for a long time, what the hell.