I am attempting to use an "isakmp profile" with a DMVPN configuration so that we can get RADIUS accounting records (which I believe has to be done with an isakmp profile). I can get it to work using preshared keys, but I can not get it to work using certificates which is what I need.
The spoke appears to be fine (it goes to IKE_P1_COMPLETE and I do not see any problems in debug). It is only at the hub where the isakmp profile is configured where we end up with "%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 22.214.171.124"
Both devices are definitely authenticated and enrolled with the CA.
I have attached what I believe are the relevant config from the hub and spoke and debug from the hub (edited to take out some identifying information).
Any help appreciated,
Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:
1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."
2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."
Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").