4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [ii] DMVPN with IPsec using preshared key

The feature works according to the following rules.

● Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the network . Each spoke registers as clients of the NHRP server.

● When a spoke needs to send a packet to a destination (private) subnet on another spoke , it queries the NHRP server for the real (outside) address of the destination (target) spoke.

● After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.

● The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.

● The spoke-to-spoke links are established on demand whenever there is traffic between the spokes . Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.

● If an IP multicast stream originates from a spoke location, a rendezvous point (RP) must be deployed at the hub site in order for other spoke site clients to receive the stream

● mGRE Tunnel Interface allows a single GRE interface to support multiple IPSec tunnels and simplifies the size and complexity of the configuration.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4531-4534).  . Kindle Edition.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html