I want to setup a Cisco IOS router with a double role GETVPN Key Server and Certificate Authority.
The GMs can authenticate and enroll with the CA(KS) using CA's default trustpoint name (CISCO) but the CA(KS) can't establish GETVPN phase 1 with the GMs and returns the following error:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from <GMs IP> is bad: CA request failed!
All routers participating in GETVPN have the clocks sync with an NTP server. All timezones are set identical on all routers.
Should I use different trustpoint for GETVPN than the default one (default one is CISCO) then authenticate and enroll with it?
The default trustpoint (CISCO) can't be used to authenticate and enroll with it (in order to make KS participate in Phase 1 Authentication with GMs).
I find this double role useful because you can save a router.