The lab is set up with Central and Remote enrolling with CA. Both successfully obtained their respective digital cert from the CA. However, both failed during the IKE negotiation. The debug is as below:
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.21 failed its sanity check or is malformed
did you check the time settings ? The certificates contain information about the first and the last point of time where they are valid. In case the VPN endpoints' local times are not within that time frame the certificates are rejected.
Yes i've checked the time settings and ensured that both sides are configured for the same time frame. It may however differ by only maybe a few seconds. But overall the certificates are valid. By the way, both routers got their certificates from the same CA.