Hi Team,

I'm encountering an IPSec VPN issue between a Cisco Router and Cisco ASAv
(hosted on AWS EC2) and would appreciate your guidance.

**Environment:**
- Peer 1: Cisco Router (on-premises)
- Peer 2: Cisco ASAv on AWS EC2

**Issue:**
The IPSec tunnel establishes successfully (Phase 1), but during Phase 2
negotiation, the router detects the ASAv's PRIVATE IP instead of its PUBLIC
IP for identity matching.

**Current Behavior:**
- Router peer configuration: Uses ASAv's PUBLIC IP (Elastic IP)
- Phase 2 negotiation: Router receives ASAv's PRIVATE IP as remote identity
- Result: Identity mismatch causes negotiation failures

**Workaround Found:**
Modifying the router configuration to either:
1. `match identity remote any` (less secure)
2. `match identity remote <private-ip>` (works but not ideal)

For example :  in the below router configuration I had to update "match identity remote any" instead point to the public ip itself , also this will work if I update any to --> private ip of the asa.  

Since I have some restriction on my migration project since customer wants seamless migration without doing any changes in eft side routers , and with their current setup between cisco routers Ipsec ( not asav ) this phase2 also working over public ip of the router  , I am exploring how can i address this with new architecture in AWS. 

**QUESTIONS:**

1. **ASAv Configuration:** Can ASAv be configured to advertise its EIP as
identity instead of private IP?

2. **Platform Alternative:** Would Cisco CSR1000v (Virtual Router) behave
differently than ASAv in this NAT scenario?

3. **AWS Architecture:** Are there alternative AWS networking approaches
(VPN Gateway, Transit Gateway, etc.) that avoid this issue?

4. **Documentation:** Is this a documented limitation of running ASAv behind
AWS NAT? Any Cisco/AWS guides on this migration pattern?

5. **Real-world Solutions:** Has anyone successfully migrated router-to-router
IPSec to AWS without modifying the remote peer configuration?

Please sugegst.