You need a self-signed certificate for your IPsec manifest (CA cert, instance cert, and instance private key).

IPsec requires CA and instance certificates and a private key in the manifest. You can generate them using OpenSSL and the script below.

Use the script in the Workaround section as your reference. Save it, make it executable, run it, then use the generated files in your IPsec manifest.

1. Copy the script below and save it as openssl-create-ipsec-certs.sh in a directory on your machine (for example, ~/workspace).
2. Go to that directory:  cd ~/workspace
3. Make the script executable: chmod u+x openssl-create-ipsec-certs.sh
4. Run the script ./openssl-create-ipsec-certs.sh

This generates four files in a new certs directory where the script is run:

• ipsec-ca-cert.pem — this value can be used as the CA Cert in the ca_certificates manifest field.
• ipsec-ca-key.pem — the key used to sign the generated CA Cert.
• ipsec-peer-key.pem — this value can be used as the instance private key in the instance_private_key manifest field.
• ipsec-peer-cert.pem — this value can be used as the instance certificate in the instance_certificate manifest field.

Because this certificate expires in 365 days, set a calendar reminder to rotate the certificate within the year. For instructions on changing certificates, see Rotating IPsec Certificates.

#!/bin/bash

set -o errexit

if [ -e certs ]; then
    rm -rf certs
fi

mkdir certs
cd certs

cat > openssl.cnf <<EOL
[ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the cert
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
commonName                      = Common Name (e.g. server FQDN or YOUR name)
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage=serverAuth, clientAuth
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true,pathlen:0
keyUsage = cRLSign, keyCertSign

EOL

openssl genrsa 3072 > ipsec-ca-key.pem
openssl req -x509 -new -nodes -days 1095 -sha256 -config openssl.cnf -key ipsec-ca-key.pem -subj /CN=IPsec\ AddOn\ CA -out ipsec-ca-cert.pem
openssl req -newkey rsa:2048 -days 365 -nodes -sha256 -subj /CN=IPsec\ peer -keyout ipsec-peer-key.pem -out ipsec-peer-req.pem
openssl x509 -req -in ipsec-peer-req.pem -days 365 -extfile openssl.cnf -extensions v3_req -CA ipsec-ca-cert.pem -CAkey ipsec-ca-key.pem -set_serial 01 -out ipsec-peer-cert.pem
openssl x509 -inform pem -in ipsec-peer-cert.pem -text
openssl x509 -inform pem -in ipsec-ca-cert.pem -text

rm -f openssl.cnf
rm -f ipsec-peer-req.pem

echo " "
echo "New IPsec certificates created in ./certs subdirectory:"
echo " "

ls -la

cd ..

IPsec docs https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/ipsec-encryption/1-9/ipsec/installing.html