How to Configure Cisco Routers for DMVPN

Explained with Commands

Learn how to configure Cisco routers for DMVPN with full explanations for each Cisco IOS command. Moreover, this article is ideal for network engineers looking to master dynamic multipoint VPNs.

What is DMVPN?

Basically, DMVPN (Dynamic Multipoint VPN) is a Cisco technology that allows branch offices to establish on-demand, secure tunnels over the Internet. Moreover, It combines GRE tunnels, NHRP (Next Hop Resolution Protocol), and IPsec encryption to create scalable VPNs without the complexity of static tunnel configuration. In addition, it reduces configuration overhead and simplifies routing.

Prerequisites

Before you begin the configurations, be sure you have the following:

• At least one Cisco router for the hub, and one or more for spokes
• At least 2 public IPs and Internet access for all routers
• IOS version 12.4 or later
• At least a basic understanding of IPsec, GRE, and static routing
• Moreover, access to the CLI of each router

Step-by-step DMVPN configuration

Configure Cisco Routers for DMVPN

Step 1: Configure the DMVPN Hub Router

Firstly, set up the tunnel interface and apply the GRE settings.

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

interface Tunnel0 – Creates a virtual GRE tunnel interface.

ip address 10.0.0.1 255.255.255.0 – Assigns the tunnel an IP in the DMVPN subnet.

no ip redirects – Disables sending of ICMP redirects for better tunnel stability.

ip nhrp authentication cisco123 – Sets a shared NHRP password for security (must match on all routers).

ip nhrp map multicast dynamic – Enables multicast support for dynamic routing protocols like EIGRP or OSPF.

ip nhrp network-id 1 – Tags all NHRP traffic with a unique ID to isolate networks.

tunnel source GigabitEthernet0/0 – Sets the physical interface to source the tunnel (replace as needed).

tunnel mode gre multipoint – Enables the tunnel to accept multiple peer connections (needed for DMVPN).

tunnel key 100 – Optional shared key to differentiate tunnel traffic.

tunnel protection ipsec profile DMVPN-PROFILE – Applies IPsec encryption to the GRE tunnel using the defined profile.

Remember, ip nhrp authentication cisco123 password must match on all routers to establish trust.

Step 2: Configure the DMVPN Spoke Router

Secondly, configure the spoke interface with similar tunnel settings and point it to the hub.

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco123
 ip nhrp map 10.0.0.1 <HUB_PUBLIC_IP>
 ip nhrp map multicast <HUB_PUBLIC_IP>
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

ip address 10.0.0.2 255.255.255.0 – Assigns a unique IP to the spoke within the DMVPN subnet.

ip nhrp map 10.0.0.1 <HUB_PUBLIC_IP> – Maps the tunnel IP of the hub to its real public IP.

ip nhrp map multicast <HUB_PUBLIC_IP> – Ensures multicast packets for routing updates go to the hub.

ip nhrp nhs 10.0.0.1 – Designates the hub as the Next Hop Server (NHS) for NHRP requests.

Basically, all other commands mirror the hub configuration and serve the same purposes.

🔐 Replace <HUB_PUBLIC_IP> with the real WAN IP address of the hub router.

Step 3: IPsec Profile and Encryption Setup

Finally, apply encryption using the IPsec profile.

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec profile DMVPN-PROFILE
 set transform-set ESP-AES-SHA

crypto isakmp policy 10 – Defines a Phase 1 ISAKMP policy with priority 10.

encr aes – Uses AES encryption for strong security.

authentication pre-share – Enables pre-shared key authentication.

group 2 – Sets the Diffie-Hellman group for key exchange.

crypto isakmp key cisco123 address 0.0.0.0 – Sets a universal pre-shared key for all remote peers.

transform-set – Defines Phase 2 (IPsec) encryption methods.

ipsec profile – Applies the transform-set to GRE tunnels using the defined profile name.

DMVPN Phase Comparison

Phase	Tunnel Type	Spoke-to-Spoke?	Routing
1	Point-to-Hub	❌ No	Static/OSPF
2	Multipoint GRE	✅ Yes	OSPF/EIGRP/BGP
3	Optimized DMVPN	✅ Yes (Dynamic)	With NHRP Redirects

Verification Commands

show dmvpn
show crypto isakmp sa
show crypto ipsec sa

Moreover, these commands show the status of tunnels, ISAKMP sessions, and IPsec security associations. Also, they help you understand if they are up or not.

Troubleshooting Tips

• Check that all routers use the same ip nhrp network-id and authentication string.
• Ensure public IPs are reachable and mapped correctly.
• Confirm that NAT rules (if used) allow GRE and IPsec traffic.

debug nhrp
debug crypto isakmp
debug crypto ipsec

Use these debug commands only during maintenance windows as they are CPU intensive. Most importantly, avoid using them in production during peak hours.

Why Use DMVPN?

• ✅ Reduces static tunnel overhead
• ✅ Supports scalable branch-to-branch VPNs
• ✅ Simplifies routing and encryption
• ✅ Works with multiple dynamic routing protocols
  

Moreover, it supports dynamic branch-to-branch connectivity. Also, it provides a modern flexible alternative to traditional site-to-site VPN.

Conclusion

In summary, DMVPN is a flexible and powerful VPN solution from Cisco. With the configurations and explanations above, you now understand both the how and the why behind each command. DMVPN provides a scalable and secure solution for multi-site networking. Use this to build scalable and secure multi-site networks with ease.