Hello! Is it possible to make an appointment using EKU, without a trusted certificate? I have been fighting for a long time, on my test bench with trusted certificates it works, but not with any EKU.

Config:

crypto pki certificate map MAPS 10
subject-name eq cn = 192.168.251.239

!
crypto pki certificate chain TEST
certificate ca ...
....
quit

!
!
!
!
crypto ikev2 authorization policy TEST
!
crypto ikev2 proposal ikev2prop
encryption aes-gcm-256
prf sha256
group 14
!
crypto ikev2 policy ikev2policy
proposal ikev2prop
!
!
crypto ikev2 profile ikev2profile
match certificate MAPS
authentication remote rsa-sig
authentication remote eap query-identity
authentication local eap mschapv2 username cisco password cisco
pki trustpoint TEST
!
crypto ikev2 disconnect-revoked-peers
!
!
crypto ipsec transform-set trans esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec
set transform-set trans
set ikev2-profile ikev2profile
!
!
!
!
!
!
interface Tunnel0
ip address negotiated
ip mtu 1438
ip tcp adjust-mss 1398
shutdown
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 192.168.251.239
tunnel protection ipsec profile ipsec

Errors debug:

*Nov 13 19:20:13.185: IKEv2:(SESSION ID = 1,SA ID = 1):Save pubkey
*Nov 13 19:20:13.185: IKEv2-INTERNAL:Peer has sent its own certificate as the first certificate in the chain

*Nov 13 19:20:13.185: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Failed to validate the certificate
*Nov 13 19:20:13.185: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=454EA02EC7192953 R_SPI=0A78A3CE250345F8 (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL
*Nov 13 19:20:13.185: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Nov 13 19:20:13.185: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed

Is there a solution to the problem?