Hello,
I am looking into setting up a Windows-Client in tunnel mode, without using the standard VPN-client, with user/name password for (eap-authentication), a long the lines that I connect my strongswan-client in this post:
http://forum.mikrotik.com/t/vpn-gateway-ikev2-roadwarriors-and-ipv6/173511/1
As far as I can tell I won’t be able to use the built in client-interface, without getting an IP from the responder.
Does anyone have any experience that can be shared on how to achieve this?
The following power-shell cmdlet, looks promissing:
https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netipsecrule
In combination with this one:
https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netipsecphase2authset
But it seems unclear whether it can do eap-authentication.
if anyone have done a similar setup between windows servers, or clients, their input would be very welcome.
It might not be doable 
Windows supports four distinct types of authentications: Kerberos, certificates, NTLMv2, and preshared key.
This seems to be the Microsoft proprietary-protocol authip:
https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec-configuration#what-is-authip
The Add-VpnConnection-commandlet seems promissing:
https://learn.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection
But configuring “plain tunnelmode” as in strongswan, doesn’t seem clear in any way.