Hello Ravi
I’ll do my best to answer your questions.
The reason both pre-shared-key local and pre-shared-key remote are configured on both routers, even though only one side uses a certificate, is because of how IKEv2 mutual authentication works in Cisco IOS when using a mixed mode of RSA-sig and PSK:
- R1 uses local authentication, where an RSA signature is used, and the certificate is from its PKI trustpoint. R1 also uses PSK for remote authentication.
- R2 uses PSK for local authentication and RSA signature for its remote authentication (it expects R1’s certificate
So why are both local and remote PSK configured? Because in Cisco IOS, the pre-shared-key local = the key each router sends to authenticate itself, and the pre-shared-key remote = the key each router expects from the peer.
So even though R1 authenticates itself with a certificate, it still expects a PSK from R2, and R2 authenticates itself with a PSK, but expects a certificate from R1. Therefore, each side must define both directions of the PSK. Does that make sense?
I hope this has been helpful!
Laz