I am trying to get DMVPN phase 2 working, I have recently decided to change all of our spoke routers default gateway to go over the DMVPN tunnel back to the hub. I have done this to reduce the admin work on firewall rules to the Internet and have all spokes come back to our central ASA for Internet access. I have a static route on the spokes to our outside hub ip address forwarding to our ISP next hop so phase one tunnel comes up. Till now I have not discovered a best practice on how to bring up phase 2 with this configuration. The only thing I can think of is using a local policy on the router with a match ESP traffic and forward to the next hop. Does anyone either use or know of another recommend way?
For spoke-to-spoke tunnels in DMVPN Phase2, the key requirement is to have an appropriate content in your spokes' route tables. The routing must be set up so that all networks learned from spoke A use the next hop of spoke A on all other spokes, all networks learned from spoke B use the next hop of spoke B on all other spokes, etc. Simply, if a spoke advertises a set of networks, other spokes must be using the this spoke, not the hub, to reach those networks. This will facilitate the creation of spoke-to-spoke tunnels. Clearly, this is not feasible to be done manually - instead, a routing protocol should be used for this. OSPF, EIGRP and BGP are good protocols that can be configured so that they maintain the next hop addresses of spoke networks.
However, you may actually be interested in running DMVPN Phase3 that allows for spoke-to-spoke tunnels while making the configuration easier than in DMVPN Phase2. In DMVPN Phase3, all spokes point towards the hub for all networks, including spoke networks. However, if the hub receives a packet from a spoke that is supposed to be routed to another spoke, it will send a NHRP Redirect message to the sending spoke, instructing it of a better route. This way, you can be fine with having default routes on your spokes pointing to the hub, not even requiring the knowledge of other spokes' networks, and still have spoke-to-spoke tunnels. Read more about DMVPN Phase3 here: