We have an IKEv2 VPN tunnel between a Cisco ASA and an ISR router. The outside of the ASA is an RFC 1918 address (10.10.10.10) and is NATed 1:1 on yet another ASA firewall. Phase 1 is failing because the router sees the ASA as advertising it's peer identity as 10.10.10.10. 

We have a temporary workaround by setting the remote peer identity for the ASA on the router as the private IP, but the vendor we're using won't allow us to leave it this way permanently. I was researching using the FQDN, but it doesn't appear to be used in a static L2L tunnel - just dynamic. Is there a way around this.

The debug is shown below. Thanks

40608170: IKEv2:(SESSION ID = ,SA ID = ):NAT OUTSIDE found
40608171: IKEv2:(SESSION ID = ,SA ID = ):NAT detected float to init port 4500, resp port 4500

40608190: IKEv2:(SESSION ID = ,SA ID = ):Sending Packet [To 1.1.1.1:4500/From 2.2.2.2:4500/VRF i0:f0]
40608191: IKEv2:(SESSION ID = ,SA ID = ):Received Packet [From 1.1.1.1:4500/To 2.2.2.2:4500/VRF i0:f0]

40608193: IKEv2:(SESSION ID =,SA ID = ):Searching policy based on peer's identity '10.10.10.10' of type 'IPv4 address'
40608194: IKEv2-ERROR:(SESSION ID = ,SA ID = ):: Failed to locate an item in the database
40608195: IKEv2:(SESSION ID = ,SA ID = ):Verification of peer's authentication data FAILED
40608196: IKEv2:(SESSION ID = ,SA ID = ):Auth exchange failed
40608197: IKEv2-ERROR:(SESSION ID = ,SA ID = ):: Auth exchange failed
40608198: IKEv2:(SESSION ID = ,SA ID = ):Abort exchange
40608199: IKEv2:(SESSION ID = ,SA ID = ):Deleting SA