DMVPN over IPsec

Hi Laz,

Thanks for the explanation. I just want to clear something up.

The multicast traffic only flows directly to a spoke once a unicast packet sent to that spoke has caused a tunnel to be built. i.e. the multicast traffic itself cannot cause the tunnel to be built. Is that correct?



Hello Samir

Yes you are correct. Multicast traffic will not be able to initiate the creation of point to point GRE tunnel between spokes. If this tunnel does not exist, multicast traffic will be routed via the hub. Only unicast traffic will trigger the creation of a spoke-to-spoke tunnel. This is simply due to the design and behavior of the NHRP protocol.

Specifically, the NHRP resolution process is triggered only by unicast traffic and not multicast traffic.

When multicast traffic is sent to the hub, it is forwarded to all registered spokes. Since the multicast traffic is not specifically addressed to a single spoke, it does not provide an opportunity for NHRP to learn about the other spokes’ public IP addresses or establish direct GRE tunnels.

This is a design choice for NHRP, which helps to optimize network traffic flow and reduce unnecessary overhead. If multicast traffic were used to establish spoke-to-spoke tunnels, it could result in numerous unnecessary tunnels being built, which could consume additional resources and complicate the network. Thus it is more efficient to rely only on unicast to trigger the NHRP resolution process.

I hope this has been helpful!


1 Like

I had a question, is there anyway we can get a lesson with DMVPN and IPsec with OSPF instead of RIP?

Hello David

If you have suggestions for specific lessons and lesson topics, feel free to use the Member Ideas page below. There you can make your suggestions for additional lessons that Rene can add in the future. You may find that others have suggested something similar, so you can add your voice to theirs.

In the meantime, take a look at the following Cisco documentation which describes a scenario where DMVPN with IPSec and OSPF are being used, along with a few more features.

Doing a search online, I was able to find some additional resources that describe such a setup.

I hope this has been helpful!


Can you provide any resources I can use to better understand the IKEV2 configuration on an iOS router using DMVPN & Cisco router for a PKI server.

Hello James

The following lesson shows how to set up DMVPN with IPsec:

This doesn’t include the use of a PKI server, however you can find further information about that for a DMVPN environment at the following Cisco documentation:

This documentation describes a DMVPN network using IPSec along with a CA server, a role which is played by the hub of the DMVPN topology.

If you would like Rene to create a new lesson with your particular setup in mind, feel free to make your suggestion at the following member ideas page:

There, you may find that others have made similar suggestions, and you can add your voice to theirs.

I hope this has been helpful!



This may be simple, and I might be overthinking it but this part right here

Keep in mind that encryption occurs before multipoint GRE / NHRP.

Would it be possible to elaborate further? I always run into issues at work when troubleshooting DMVPN/IPEC and when I am told Encryption happens before multipoint GRE/ NHRP, how is that exactly?

Thank you for your time


Hello Hakeem

The statement that “encryption occurs before multipoint GRE/NHRP” is simply highlighting the sequence of operations in the DMVPN/IPSec setup. Encryption, provided by IPSec, happens before the encapsulation of data into multipoint GRE and the NHRP protocol. In other words, data is encrypted first by IPSec to ensure confidentiality, then encapsulated in multipoint GRE for routing, and finally, NHRP is used for address resolution.

This means that the GRE headers and the NHRP additional information remain unencrypted. Does that make sense?

I hope this has been helpful!



Yes it does, I was overthinking it. Thanks much for the explaination.

Have a great weekend.


1 Like