So I recently went down a rabbit hole the other day trying to figure out why I could not use my IOS PKI Certificate Authority (CA) in another FlexVPN scenario acting as the hub. As I attempted to bring up a FlexVPN session I continued to debug ikev2 packets (debug crypto ikev2 packet) and kept seeing this error:
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED
Long story short, I was actually trying to use the CA trustpoint within my IKEv2 profile configuration that is used for signing certificates.
The fix is that you must configure a separate trustpoint to then have the CA enroll with itself, and that trustpoint must be configured within your IKEv2 profile. At this point the CA now has an identity certificate it can use in IKEv2 Authentication. As soon as this was done I was able to move forward. Hopefully this helps you, Cheers!