This should work. You do not need static IP addresses on the hub routers.

On the HQ-Public router

interface Fa0/0
ip address 37.20.20.20 255.255.255.0
duplex auto
speed auto

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key DMVPNPASS address 0.0.0.0
crypto isakmp keepalive 10 periodic

crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

interface Tunnel0
description mGRE-DMVPN Tunnel
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1410
ip nhrp authentication DMVPNPASS
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
tunnel source 37.20.20.20
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

********************************************

On the hub routers

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key DMVPNPASS address 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 5
crypto isakmp profile HQPublic
!
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong

interface Tunnel0
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip mtu 1410
ip nat inside
ip nhrp authentication DMVPNPASS
ip nhrp map multicast dynamic
ip nhrp map 10.10.10.1 37.20.20.20
ip nhrp map multicast 37.20.20.20
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.10.10.1
ip virtual-reassembly in
ip tcp adjust-mss 1360
tunnel source Fa2/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco

I don't think I missed anything.

Mike

Quick question burleyman,

When you mention '37.20.20.20', who is supposed to own that IP address?

The IPSec traffic sourced from the DMVPN Spokes, should be able to hit the HUB's Router.

At quick glance, the DMVPN config template looks good.

Best Regards.

The 37.20.20.20 is the public IP address of the HQ router, al least that is what the drawing says, and he stated the only place that has a public IP address was the HQ site. He did not say that site was DHCP so we should be good.

Mike

That is correct, I missed that.

However, he said his ISP at the HQ site is using a PATted IP address. That makes me think that traffic sourced from somewhere on the Internet, might not be able to hit the correct ports on the HQ's Router. Based on that, DMVPN will not be able to properly establish a communication channel since the encrypted NHRP Control Plane traffic may not be able to hit the Hub.

As mentioned at the beginning of the post:

"note : i've tried DMVPN but it give the PATed ip address to the hub :("

Anyway, if the remote sites can in fact hit the corrects ports on the DMVPN HUB, the suggested configuration should be good as a starting point to establish a DMVPN network.

I hope this helps.

Best Regards.

Yeah, I did not quite understand the wording on the line "note : i've tried DMVPN but it give the PATed ip address to the hub :("

You are correct that there needs to be a static IP at the hub location for this to work.

Mike