Experts,

I've got an IKEv2 auth problem I can't figure out how to account for.

I have ASA 5505's terminating IKEv2/IPSEC on a 1921 (154-3.M2).  The ASA's have dynamic IPs, that are behind cellular services/hotspots, so the NAT'ing is crazy and usually tunnels don't even match the web traffic's NAT IP (meaning your web traffic comes from one carrier IP, and tunnels come from a different carrier IP, neither are the IP of the hotspot).  

I have these ASAs using a specific IKEv2 profile to separate them from the rest of the dynamic tunnels that work perfectly.  The ASA has to use the static IP of the router because of a super frustrating ASA limitation.

This is the profile for these ASA's:

crypto ikev2 profile IKEV2-PROFILE_DYNAMIC-KEY-ID
description ** Allows dynamic tunnels from ASA NAT issues **
match identity remote key-id xxxxx
identity local address 199.27.xxx.xxx
authentication remote pre-share key xxxxxx
authentication local pre-share key xxxxxx

The error message seen in debug on the hub router is:

"Computed authentication value for peer differs from what peer sent"

I don't understand what this means.  It could be the IP address the ASA thinks it's using and puts in the packet versus the IP address that is actually connecting to the router, but that's all NAT scenarios, right?  I have IOS based DMVPN devices that can use those same cellular hotspots that work fine, and are connecting perfectly using another IKEv2 profile that matches remote any.  All I know for sure is that the router is at least selecting the correct IKEv2 Profile, so that's good.

This specific error has about three hits on Google, so let's what you guys think.