4.1.d [ii] DMVPN with IPsec using preshared key
The feature works according to the following rules.
● Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the network . Each spoke registers as clients of the NHRP server.
● When a spoke needs to send a packet to a destination (private) subnet on another spoke , it queries the NHRP server for the real (outside) address of the destination (target) spoke.
● After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.
● The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.
● The spoke-to-spoke links are established on demand whenever there is traffic between the spokes . Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.
● If an IP multicast stream originates from a spoke location, a rendezvous point (RP) must be deployed at the hub site in order for other spoke site clients to receive the stream
● mGRE Tunnel Interface allows a single GRE interface to support multiple IPSec tunnels and simplifies the size and complexity of the configuration.
Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4531-4534). . Kindle Edition.