IPSEC site2site VPN, one side behind NAT. PSK works, Public key not

[jrp]

Hello, I'm trying to setup the VPN connection between two locations, both with the opnsense, latest version. I followed the example in the documentation.

One side is behind a NAT, but it probably doesn't matter. When I use PSK for authentization, everything works fine. When I change it to the pullic key, an error occures:
    received AUTHENTICATION_FAILED notify error
I've generated key pairs on both sides and copied public part to another site. Names of the certificates are the same as ids on both sides.
As the local IP of the site A I have a local address before NAT.
Site B destination have both, local address and translated address of the site A.

I've spent two days playing with this, and I'm out of ideas.

End of log:
2025-10-30T07:56:44Informationalcharon13[IKE] <2326c338-6fa8-4752-9d2e-20cfbb57e01d|24> received AUTHENTICATION_FAILED notify error
2025-10-30T07:56:44Informationalcharon13[ENC] <2326c338-6fa8-4752-9d2e-20cfbb57e01d|24> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2025-10-30T07:56:44Informationalcharon13[NET] <2326c338-6fa8-4752-9d2e-20cfbb57e01d|24> received packet: from WAN_IPb[4500] to TRANSLATED_WAN_IPa[4500] (80 bytes)
2025-10-30T07:56:44Informationalcharon08[NET] <2326c338-6fa8-4752-9d2e-20cfbb57e01d|24> sending packet: from TRANSLATED_WAN_IPa[4500] to WAN_IPb[4500] (576 bytes)
2025-10-30T07:56:44Informationalcharon08[ENC] <2326c338-6fa8-4752-9d2e-20cfbb57e01d|24> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]