I had this problem too on a brand new C1161-8PLTEP running IOS 17.09.04.
The DMVPN tunnel would not establish back to the hub router in HQ.
When I downgraded the IOS to 17.03.04 the DMVPN worked, however the 5G NIM was not detected by the router as this IOS is too old.
I came across this article which says:
If the IPsec configuration is not updated to use strong cryptographic algorithms prior to the Cisco IOS XE Release 17.11.1 software upgrade. I'm not using 17.11 but I thought this could be my problem. I did notice on C1161 my spoke router it added "group 14" under my "crypto isakmp policy 10"
Field Notice: FN - 72510 - Cisco IOS XE SW: Weak Cryptographic Algorithms Are Not Allowed by Default for IPsec Configuration in Cisco IOS XE Release 17.11.1 and Later - Configuration Change Recommended - Cisco
I didn't really want to go with the not-recommended workaround:
crypto engine compliance shield disable
However, I thought I'd give it a try and once I modified the following config:
"crypto isakmp policy 10"
"no group 14"
"group 1"
Bang - it worked!
So I wasn't stuck with unsupported configuration, I undid my changes, logged into the Hub router at HQ and added a second crypto isakmp policy (15) to my config with a group of 14.
I also applied the same config on my spoke router C1161:
crypto isakmp policy 15
encr aes 256
hash sha256
authentication pre-share
group 14
Bang - it also worked!
I hope this help you out - I was stuck on this one for a few days.
