During IPsec negotiations authenticated with the use of RSA signatures, some VPN gateways expect the remote site to request the certificates to be exchanged via a "certificate request" (CERTREQ). Among other things, this allows the gateway to select the certificate to be used providing that the gateway trusts more than one CA.
In order to establish a connection to these VPN gateways, the VPN router sends a corresponding CERTREQ when the connection is initiated. This is received by the publisher of the root certificate stored in the router.
