I'm not sure where else to go with this one.....

We're testing the EHWIC-4G-LTE-VZ card with a 2901 router in our lab. We had a flexvpn setup over Verizon to an ASR1000 on the other end. Nothing fancy :

crypto ikev2 client flexvpn EnventisFlex
peer 1 x.x.x.x
client connect Tunnel1

interface Cellular0/2/0
description IPSec Failver 3rd Party Circuit
vrf forwarding ipsecOutside
ip address negotiated
encapsulation slip
dialer in-band
dialer idle-timeout 5
dialer enable-timeout 10
dialer string lte
dialer watch-group 1
end

interface Tunnel1
description Connection to 511/EDC
ip unnumbered Loopback50
ip mtu 1400
ip pim sparse-mode
ip tcp adjust-mss 1360
tunnel source Cellular0/2/0
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel vrf ipsecOutside
tunnel protection ipsec profile EnventisIPSecProfile
end

This was working for a while, then suddenly it stopped working and the IKE exchange between the two wouldn't complete. So I started digging and did a few packet captures on both sides. From the ASR 1000 side, pcap looks like this :

2901 SA_INIT >  A1K (port 500, 500 bytes)

A1K SA_INIT > 2901 (port 500, 500 bytes)

2901 IKE_AUTH > A1K (port 4500, 2000 bytes w/ fragments)

A1K IKE_AUTH > 2901 (port 4500, 2000 bytes w/ fragments)

2901 IKE_AUTH > A1K (port 4500, 2000 bytes w/ fragments)

A1K IKE_AUTH > 2901 (port 4500, 2000 bytes w/ fragments)

2901 IKE_AUTH > A1K (port 4500, 2000 bytes w/ fragments)

A1K IKE_AUTH > 2901 (port 4500, 2000 bytes w/ fragments)

2901 IKE_AUTH > A1K (port 4500, 2000 bytes w/ fragments)

A1K IKE_AUTH > 2901 (port 4500, 2000 bytes w/ fragments)

The 2901 never receives the IKE_AUTH response from the ASR 1000 so both ends just keep retransmitting. Ok....why not? MTU issue? So I start some pings from the 2901 over the Cellular connection :

! Ping msnbc

Router# ping vrf ipsecOutside 23.222.203.175 size 1500
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 23.222.203.175, timeout is 2 seconds:
.....

5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 7500 bytes, 0 underruns

Router# clear counters cell 0/2/0
Clear "show interface" counters on this interface [confirm]
Cellular0/2/0 QoS statistics data clear currently is not supported.

Router# ping vrf ipsecOutside 23.222.203.175 size 1444
Type escape sequence to abort.
Sending 5, 1444-byte ICMP Echos to 23.222.203.175, timeout is 2 seconds:
!!!!!

5 minute output rate 1000 bits/sec, 1 packets/sec
5 packets input, 7220 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 7220 bytes, 0 underruns

Router# ping vrf ipsecOutside 23.222.203.175 size 1445
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 23.222.203.175, timeout is 2 seconds:
.....

um ok, so :

Router# ping vrf ipsecOutside 8.8.8.8 size 1500

Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/141/144 ms

Router# ping vrf ipsecOutside 8.8.8.8 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!

Seriously, WTF is happening!? Verizon likely uses some funky CGN, but as long as we get ICMP unreachables for the dropped packets, PMTUD would probably work. But unfortunately when performing packet captures on remote nodes, I do not receive any such responses to dropped packets.

What am I missing something here? How would I go about getting IPSEC to work over this connection with this kind of NAT behavior from the carrier?