DMVPN

 TOPOLOGY:                                        Click image to zoom in

CONFIGURATIONS (for IOS): Without IPsec

###HUB###

interface Tunnel0
 ip address 10.50.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 no ip split-horizon eigrp 123
 ip tcp adjust-mss 1360
 tunnel source Serial0/0
 tunnel mode gre multipoint
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.10.0
 no auto-summary

------------------------------
###SPOKE1###

interface Tunnel0
 ip address 10.50.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map 10.50.0.1 200.0.101.2
 ip nhrp map multicast 200.0.101.2
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 ip nhrp nhs 10.50.0.1
 ip nhrp shortcut
 tunnel source Serial0/0
 tunnel mode gre multipoint
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.20.0
 no auto-summary
------------------------------
###SPOKE2###

interface Tunnel0
 ip address 10.50.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map 10.50.0.1 200.0.101.2
 ip nhrp map multicast 200.0.101.2
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 ip nhrp nhs 10.50.0.1
 ip nhrp shortcut
 tunnel source Serial0/0
 tunnel mode gre multipoint
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.30.0
 no auto-summary

==============================================================

CONFIGURATIONS (for IOS): With IPsec

###HUB###

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 86400
 set transform-set DMVPN

interface Tunnel0
 ip address 10.50.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 no ip split-horizon eigrp 123
 ip tcp adjust-mss 1360
 tunnel source Serial0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.10.0
 no auto-summary

------------------------------
###SPOKE1###

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 86400
 set transform-set DMVPN

interface Tunnel0
 ip address 10.50.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map 10.50.0.1 200.0.101.2
 ip nhrp map multicast 200.0.101.2
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 ip nhrp nhs 10.50.0.1
 ip nhrp shortcut
 tunnel source Serial0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.20.0
 no auto-summary
------------------------------
###SPOKE2###

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN-PROFILE
 set security-association lifetime seconds 86400
 set transform-set DMVPN

interface Tunnel0
 ip address 10.50.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN
 ip nhrp map 10.50.0.1 200.0.101.2
 ip nhrp map multicast 200.0.101.2
 ip nhrp network-id 1
 ip tcp adjust-mss 1360
 ip nhrp nhs 10.50.0.1
 ip nhrp shortcut
 tunnel source Serial0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN-PROFILE
!
router eigrp 123
 network 10.50.0.0 0.0.0.255
 network 192.168.30.0

 no auto-summary

==========================================================

TSHOOT/SHOW COMMANDS:

HUB#show dmvpn 

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1     200.0.102.2       10.50.0.2    UP    never D    

     1     200.0.103.2       10.50.0.3    UP    never D    

------------------------------------------------------------------------------------------------------------

HUB#show dmvpn detail 

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

 -------------- Interface Tunnel0 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 10.50.0.1

   Source addr: 200.0.101.2, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "",

Tunnel VRF "", ip vrf forwarding ""

NHRP Details: 

Type:Hub, NBMA Peers:2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     200.0.102.2       10.50.0.2    UP 00:01:14 D          10.50.0.2/32

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     200.0.103.2       10.50.0.3    UP 00:01:16 D          10.50.0.3/32

Pending DMVPN Sessions:

------------------------------------------------------------------------------------------------------------

HUB#show crypto session detail 

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: Tunnel0

Uptime: 00:01:18

Session status: UP-ACTIVE     

Peer: 200.0.102.2 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 200.0.102.2

      Desc: (none)

  IKE SA: local 200.0.101.2/500 remote 200.0.102.2/500 Active 

          Capabilities:(none) connid:1002 lifetime:23:58:40

  IPSEC FLOW: permit 47 host 200.0.101.2 host 200.0.102.2 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 43 drop 0 life (KB/Sec) 4488782/86321

        Outbound: #pkts enc'ed 24 drop 0 life (KB/Sec) 4488785/86321

Interface: Tunnel0

Uptime: 00:01:20

Session status: UP-ACTIVE     

Peer: 200.0.103.2 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 200.0.103.2

      Desc: (none)

  IKE SA: local 200.0.101.2/500 remote 200.0.103.2/500 Active 

          Capabilities:(none) connid:1001 lifetime:23:58:39

  IPSEC FLOW: permit 47 host 200.0.101.2 host 200.0.103.2 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 27 drop 0 life (KB/Sec) 4605932/86319

        Outbound: #pkts enc'ed 28 drop 0 life (KB/Sec) 4605932/86319

HUB#show crypto isakmp sa      

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

200.0.101.2     200.0.103.2     QM_IDLE           1001    0 ACTIVE

200.0.101.2     200.0.102.2     QM_IDLE           1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

HUB#show crypto isakmp key     

Keyring      Hostname/Address                            Preshared Key

default      0.0.0.0        [0.0.0.0        ]            cisco123

HUB#show ip eigrp neighbors 

IP-EIGRP neighbors for process 123

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

1   10.50.0.2               Tu0               13 00:03:00  162  5000  0  3

0   10.50.0.3               Tu0               12 00:03:01  155  5000  0  3