Hi all,

As far as I know, when a router receives an IPsec phase 1 negotiation packet, it only checks if it has a configured ISAKMP key associated with the source IP of the packet. However, when a router receives a IPsec phase 2 negotiation packet, it checks the source/destination IP of the packet with the tunnel source/destination of crypto map which is configured under receiving interface.

I know that the encryption for DMVPN is not configured like normal crypto map. However, I think the above logic should also apply for DMVPN over IPsec. I want to understand how it is applied.

Let's think about this example. In a DMVPN phase 2 environment, before a spoke (R1) sends a packet to another spoke (R2), it should first learn R2's NBMA IP address. Therefore R1 should send an NHRP resolution request. Since hub had established IPsec tunnels with all spokes, there will be no problem with sending encrypted resolution request to the hub. After R2 receives resolution request, firstly it will record the NBMA IP of R1 into its NHRP table. Now R2 should send a resolution reply to the R1. However, since R2 have to encrypt that packet, it should first establish an IPsec tunnel. So R2 starts phase 1 negotiation. I understand how phase 1 negotiation will be successful. After successful phase 1 negotiation, R2 will start phase 2 negotiation. According the logic in the first paragraph, R1 should check the source/destination IP address of the received phase 2 negotiation packet. Since R1 did not get the NHRP resolution reply yet, it does not have the NBMA IP of R2 in its NHRP table. Therefore it doesn't now the tunnel destination and it should drop the packet. However, phase 2 negotiation is also done successfully. How does it happen?

Kind Regards.