I recently updated about 70 routers from preshared key to certificate authentication. The most part of them works fine but I'm still searching to resolve a problem on 3 of them.
When I use preshared key the isakmp and ipsec phases complete successfully, but when I use certificates, the Phase 1 complete well and after devices seems to ignore each other.
The VPN is initiate from a Cisco 831 or 871 behind nat to a PIX 515.
Attached debug example of 831