Hub has address 172.19.10.21 (I've correctly configured BITW with VPN SPA). This address is NATted with static Nat on 192.168.115.4 outside address on FWSM. The spoke router has address 192.168.115.254. I've configured FWSM ACLs to permit in two directions ESP on port 500 and ESP over UDP with NAT-T on port 4500. When I bring up tunnel interface, Isakmp phase 1 goes well, but in phase 2 negotiation, debug says:
1w3d: ISAKMP:(0:1:HW:2):SA authentication status:
1w3d: ISAKMP:(0:1:HW:2): authenticated
1w3d: IPSEC(validate_transform_proposal): proxy identities not supported
I'm not sure that a DMVPN hub can be NAT'ed, statically or otherwise. Spokes can, but I haven't seen any examples supporting a NAT'ed hub. Logically, it should be possible to statically NAT a hub, bit that doesn't mean it actually works. There are also a number of restrictions on DMVPN in a 6500, you might want to check your compatibility:
I had similar problem, but my hub site is not on MSFC, but on other router, which is staticaly NATed by firewall.
Just according document attached by mflanigan, I updated IOS on hub and spoke and configured my routers with transport ipsec mode.
I will attach result document about my situation and results. I am not sure, if it can help to you (you have hub directly on MSFC).
Main problem is, that IPSec try establish tunnel for PROXY eddresses and this address in not changed by NAT if it is tunnel mode (encapsulated in new headers). But in case trasnport mode, proxy addresses can be changed by NAT.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...