On the hub, I can see that the tunnel is up but I am unable to ping the Spoke tunnel IP: 172.29.255.201

I have a single hub and multiple spokes but with this spoke, i want to use to ISP and one is starlink. I created two tunnels on spoke and used shared tunnel protection. one tunnel for the other ISP and one tunnel for starlink, both to be connected to the single tunnel dmvpn hub.

Hello,

post the running configs of your hub and spoke routers...

only one router is affected when connection is pushed through starlink. when pushed through other ISP no issues. so config is definitely not the issue.

Hello,

post the spoke config anyway, as we do not know what you have configured (Phase 1/2/3, which underlying routing, etc.), we may spot something. Starlink uses TCP spoofing optimization; if you use the default policy, you are also dealing with CGNAT. Are you using a 100.64.0.0/10 IP address (which means you are using the default policy) ?

flags is DN meaning dyanimc NAT 

And the claimed IP appear' this good indication that hub detect behind NAT spoke'

Last steps is you need to use 

Ipsec transfers AH no ESP 

Also you need to use trabsport mode not tunnel mode.

MHM

does that mean i change the hub also to AH? using transport mode

In spoke add AH and transport 

In Hub add AH only as second ipsec trans' 

This make hub work with spoke use esp and spoke use AH with transport 

MHM

can you provide me a sample config for this? i don't seem to get what you mean.

Hub config 

Crypto ipsec trans spoke1 esp- 

Mode tunnel 

!

Crypto ipsec trans AH- 

Mode transport 

In Spoke1 (behind NAT)

Crypto ipsec trans AH- 

Mode transport 

In Spoke2 (not behind NAT)

Crypto ipsec trans ESP-

Mode tunnel 

MHM

Thank you. I will keep this for future reference

without AH and transport ??

MHM