Okay, issue here is that you want to use NTP, because we all know those pesky certificates will fail when your router wakes up in 1993. Problem is, you can't build a crypto tunnel to your NTP source until the router gets correct time - catch 22.
Use multiple authentication methods in your crypto policy, and use a pre-shared key to the crypto peer protecting your NTP server.
Define multiple NTP peers, some protected by IPSec which are "preferred", and some not protected that the router can use to get time in the wake-up process. (remember that you can use different source interfaces for different ntp peers)
If you are using Tunnel Endpoint Discovery, you can use the NTP protocol to create the a crypto tunnel to a monitoring site from a private IP address source on the remote router, and then use this encrypted tunnel from the central site to manage the remote router via telnet/ssh to the private IP address on the remote router. That way, as a fallback if crypto has failed you can still telnet/ssh to the public IP address of the remote router outside the crypto tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...