So just to be clear - for VMM (Virtual Mobility Master) to MC (Mobility Controller), I need all of the following ports to be port forwarded?
IPsec (UDP port 4500) for communication between Mobility Master and a managed device.
IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between Mobility Master and a managed device is encapsulated in IPsec.
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ managed device
IKE (UDP 500)
ESP (protocol 50)
NAT-T (UDP 4500)
That seems like...an awful lot of ports =(.
Is there any other way of linking a VMM hosted somewhere in a colo or in the cloud, and where you have Mobility Controllers and APs in various locations?