Some basic IOS IPsec/DMVPN commands to aid with troubleshooting:
show dmvpn detail
show ip nhrp
show ip nhrp multicast
show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec sa
show run | s isakmp
show run | s ipsec
show run | s interface Tunnel
debug crypto isakmp
debug crypto ipsec
Remember to enable terminal monitor if you are remote
If you have a dedicated DMVPN router and want to apply a simple access list to the public interface to block all other traffic, this is what you need opened up:
permit esp any any
permit udp any eq isakmp any eq isakmp
and if you have NAT-T, then you also need:
permit udp any eq non500-isakmp any eq non500-isakmpHere is a quick and clean DMVPN Phase 1 Configuration:
Hub Router
IPsec:
HUB01(config)# crypto isakmp policy 10
HUB01(config-isakmp)# encr 3des
HUB01(config-isakmp)# hash md5
HUB01(config-isakmp)# authentication pre-share
HUB01(config)# crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
HUB01(config)#crypto ipsec transform-set TR_SET esp-3des
HUB01(cfg-crypto-trans)# mode transport
HUB01(config)