StrongSwan connecting from Windows 10

The answer was in the certificate format for both the server and the client.

Windows requires the Hostname or IP Address to be listed in a san, whilst OSX requires the Remote ID to be in a san, so you end up with a server certificate that looks like this

ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=vpnserver" \
--san vpnserver \
--san dns:34.35.36.37 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem

A similar story applies for the client certificate. With the swanctl configuration set as eap_id = %any, StrongSwan requests the client for its identity. Windows returns the CN part of its certificate, whilst OSX returns the Local ID, which means the certificate looks like this:

ipsec pki --pub --in vpn-$USER-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=$USER" \
--san $USER \
--outform pem > vpn-$USER-cert.pem

In the configuration settings of Windows, you can tell it to use a different username and also what server to connect to, which I suspect will make it act the same as OSX, but by default, these are not selected.

Windows also authenticates the server which will give a warning of unknown server, which you can click 'continue' to or you can disable server authentication checking from inside the Windows client VPN settings (not recommended).