Using IKEv1 w/ IPSec tunnels, the PSK address and tunnel destination should be the public IP of the remote side, even if the other router is behind NAT using Elastic IP:
crypto isakmp key XXXXXXXX address PUBLIC.IP.OF.REMOTE crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 10 ! crypto ipsec security-association replay window-size 1024 ! crypto ipsec transform-set ESP_AES128_SHA esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile ESP_3600_PFS-G2 set security-association lifetime kilobytes disable set transform-set ESP_AES128_SHA set pfs group2 ! interface Tunnel1 ip address 169.254.1.1 255.255.255.252 keepalive 10 3 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination PUBLIC.IP.OF.REMOTE tunnel protection ipsec profile ESP_3600_PFS-G2 ! interface GigabitEthernet1 ip address 10.10.10.10 255.255.255.0 ip nat outside negotiation auto no mop enabled no mop sysid ! ip route 0.0.0.0 0.0.0.0 10.10.10.1
I was surprised this worked. Why? Because the tunnel source is GigabitEthernet1’s private IP address of 10.10.10.10. I would expect the other side to reject the proposal because it doesn’t match the public IP address with the isakmp key configured.
But looking closer, it’s actually using NAT-T (udp port 4500):
csr1000v-1#show crypto session Interface: Tunnel1 Session status: UP-ACTIVE Peer: PUBLIC.IP.OF.REMOTE port 4500 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map