Issues with getting IKEv2 set up on a new RRAS server

Question

I have a new Windows Server 2022 VM set up, I'm setting it up as a RRAS / VPN server. Hoping to use IKEv2 / machine certificate auth since I guess MSCHAPv2 is now depreciated, or not the best practice?

I set up the VPN using the basic RRAS wizards, created a certificate for my server, made sure IKEv2 was a valid auth method for the server, bound the certificate to the server. Just to test, I left MSCHAPv2 as an alternate auth method.

Set up my firewall rules both on the server for port 500, 4500 udp, and my external firewall, for 80/443/500/4500/protocol 50.

On my windows 11 client test machine, off site, imported the machine certificate to trusted root CA. Created a VPN profile to my public IP address. It gives me an error 'username/password not found, or authentication method not accepted.' - fine, I was hoping it would just work out of the box, but I edited my VPN profile to explicitly allow MSCHAPv2 auth, and the VPN connects just fine. Success!

I went to test the IKEv2 method, removed the VPN profile, recreated it. Disabled MSCHAPv2 on the server. Go to connect, and strangely get the error that 'the server isn't responding'.

To diagnose, I telnetted to port 500 and 4500, but both do not connect. I went to the server, telnetted to localhost, 500 and 4500 also don't connect. Disabled the windows firewall, still nothing. Did a netstat -ano, port 500 and 4500 are bound to 0.0.0.0, and listening from my RRAS/IKE service. Very strange.

I've tried everything I can think of, but just not getting anything on either of those ports. I reinstalled RRAS, recreated the bindings, same exact result. Telnet port 80 works just fine, and re-enabling MSCHAPv2 works - so I know the server isn't just not responding to anything...