Check both device configurations to make sure they have the same settings. Do some packet captures to see if there is communication between 2 devices and if there are packets that try to establish a VPN connection and enable ike debug logs.

dia de app ike -1
dia de console time en
dia de en

To stop the debug, run the following commands:

   diagnose debug disable

   diagnose debug reset

Note:

More info about IPsec debug logging can be found on this KB article Troubleshooting Tip: IPsec VPNs tunnels but for this case, it is enough to check the problem.

If no logs are shown in the console, it can be possible to enable auto-negotiation under the phase2 interface:

config vpn ipsec phase2-interface

    edit Test-VPN
        set auto-negotiation enable ----> This will initiate auto-negotiation and trigger debug logs.
    next
end

Note:

More info about auto-negotiation can be found here: Technical Tip: Using the IPSec auto-negotiate and keepalive options

 
From debug logs there is this line that shows up: 'failed to load private key /etc/cert/local/root.CERTNAME.key' where CERTNAME is the name of the certificate, which will have a different name in each setup, depending on what is installed.

This line means that IPsec does not find any private key under the certificate repository. A simple check will show an empty certificate:

show full vpn certificate local CERTNAME

config vpn certificate local
    edit "CERTNAME"
        set password ENC ********

        set comments ''
        unset private-key
        set range global
        set source user
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
        set enroll-protocol none
    next
end

The difference with a full content certificate where the most important parts private-key and certificate-content are available as per the below example:

config vpn certificate local
    edit "CERTNAME"
        set password ENC **********

        set comments ""
        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIongrsz7x40oCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECL4wAGtZrh7qBIIEyIg7zca4bwwU
************************************************************************************************
-----END ENCRYPTED PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----

MIID8zCCAtugAwIBAgIIcGYcRpxVfuYwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx

***************************************************
-----END CERTIFICATE-----"
        set range global
        set source factory
        set source-ip 0.0.0.0
        set ike-localid-type asn1dn
        set enroll-protocol none
    next
end

In this case, there are some options to fix the issue:

1. It is possible to redeploy the certificate to this device. More Info here: Technical Tip: How to import an SSL certificate as a local certificate
2. It is possible to edit the existing certificate and paste the content from the PEM and key files that have been downloaded from the CA server.

config vpn certificate local

    edit "CERTNAME"

        set private-key "copy full content of private key here"

        set certificate "copy full content of certificate here"

    next

end

After this change, IPsec VPN will come up. Always repeat steps 1-4 and also check if the certificate is properly imported/edited.

In the case that this does not help, contact TAC support for advanced troubleshooting.