When the spoke generates the registration request to the hub, this request will be NATed by the router/device infront of the spoke, so what comes to the hub is the NATed address of the spoke, I can't recall exactly but I believe you need to use Transport mode in order to nat the ip address within the IPSec header and to avoid issues.