I have a DMVPN network setup and running almost perfectly except I cannot seem to establish a spoke-to-spoke connection between devices that are behind NAT.
Spoke-to-hub is working fine and spoke-to-spoke (when one of the spokes is not behind NAT) is also working.
If I look at my NHRP registrations on the server (hub) all devices are registering their public NBMA addresses but when one spoke tries to communicate to another spoke (both behind NAT) the NHRP on one side will always say 'incomplete' while the other side has the correct information. So, if I try to ping from VPN02 to VPN04, the NHRP on VPN02 will be incomplete while VPN04 has the correct info.
I've attached my configs and a diagram, hopefully someone out there has seen this before.