We have a VPN configured to use digital certicates to authenticate ISAKMP peers. Allright, if one of the peers acts a CA itself, we will get that error if we let things as they are. It should work like that, but it doesn’t in fact.

A new CA TrustPoint is needed in that CA router, authenticate it and obtain the certificate our GETVPN will use. From now on we will get an IKE Phase 1 coming through like a charm.

I found that trying to configure GETVPN, in the set up, one of the KS was the CA itself. I did a test battery afterwards and found out it may happen also in other VPN types, not only with GETVPN.