"So what you trying to achieve or improve ?"

No "touch" hub configuration as spokes are added or withdrawn.

Support for spokes using dynamic external IP addresses.

"If you have route to reach

Each of the . . ."

Yes, within the IGP routing is fine, issue is, external tunnel endpoints need to be routable too.  If you have explicitly defined routes for the external spoke tunnel IPs, then its something that has to be "touched" on the hub, also unable to define a static if I don't know what the spoke's tunnel IP is (i.e. is dynamic).

PS:

Four possible approaches I've been looking at, if unable to take direct advantage of the NHRP cache, include:

Some form of PBR.  Haven't figured out a way, if there is one, to utilize it.

Dynamic VTI rather than DMVPN.  This might work but Cisco's documentation is a bit sparse.

Placing the DMVPN routing into a different VRF.  Should allow me have a dedicated default route for this VRF, but then need to redistribute routes between VRFs (two way because will have two hubs).

Since OSPF is IGP, also considered using different area, but topology wouldn't easily support ABRs where needed.

Hi Joseph

In this case use the BFF option

But the answer here about how you can have simple defulte ruting in the HUD just for tunnel establishments with spokes is

By using the commandbtunnel vrf this cammon will let the tunnel use the specified vrf to reach the other end of the tunnel

Example int tunnel 0

Ip vrf forwarding red

Tunnel vrf blue

Int x/x

Description interface to Internet

Ip vrf forwarding blue

Ip route vrf blue 0.0.0.0 0.0.0.0

The tunnel will participate In the routing and fib of vrf red while it will use vrf blue routing table to reach the other end of the tunnel

Ini other word youl be using somthing called front end tunnel where you can leave the tunnel in the router golba routing and let it use a vrf assigned to the router external interface for tunnel estsblishment

HTH

Reading your post, and thinking about what you describe, VRF might be the solution I need while avoiding the need for mutual redistribution.  I'll try it and let you know whether what you proposed works.

PS:

What's "BFF option"?

VRF was needed, with its own default route.  Didn't need to user another VRF for the inside interface, global (the default) was all that was needed.

Although an external facing VRF was one of the key parts of the solution, couldn't get it to work.  Didn't realize it as the time, but what was needed was DMVPM using VRF aware IPSec with fVRF.  Unfortunately, none of the "cookbook" examples I found for such solutions worked.  However, by trial and error, did find a working solution.

In my case, what was needed included:

ip vrf Internet

rd 1:1

crypto keyring DMVPN vrf Internet

  local-address GigabitEthernet0/0

  pre-shared-key address 0.0.0.0 0.0.0.0 key aKey

crypto isakmp policy 10

authentication pre-share

crypto isakmp profile DMVPN

   keyring DMVPN

   match identity address 0.0.0.0 Internet

crypto ipsec transform-set DMVPN esp-aes 256 esp-sha-hmac

mode transport

crypto ipsec profile DMVPN

set transform-set DMVPN

interface Tunnel1

tunnel vrf Internet

tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/0

ip vrf forwarding Internet

ip route vrf Internet 0.0.0.0 0.0.0.0