Well, that's a good point but both peers have correct ISAKMP policy defined with use of rsa-sig authentication which is default.
I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available, it was only available at the moment of enrolling and authenticating certificates.
I know this is a very old post but just in case anyone else has the same issue - check the time on your routers. One of mine was out by about 30 minutes and as soon as I fixed the NTP settings the tunnel came up fine with no errors.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...