Introduction:
This is Part 4 of the DMVPN (Dynamic Multipoint VPN) Knowledge Base series, which details the configuration of DMVPN on Digi routers.
In this article, we focus on verifying the proper operation of the DMVPN network between the Cisco HUB and two Cisco Spoke routers and will consider the following network scenario:
1. WAN Interface Activation
Upon activating the WAN interfaces, the BGP session comes up, for erxample we can see on the HUB:
We observe two BGP neighbors, each corresponding to a spoke router.
2. IPsec/IKEv2 Security Associations (SAs)
To verify the operational status of IPsec tunnels on the routers, the command „show crypto ipsec sa“ is executed. This command provides detailed information about the active Security Associations (SAs) established between the HUB and its connected spokes.
HUB output
The first part oft he output shows the Security Association with Spoke 2:
Further down in the output, a second SA is displayed, corresponding to the tunnel established with Spoke 1:
Spoke 1 Output
Spoke 2 Output
The outputs above confirm that both IPsec/IKEv2 tunnels—between the HUB and Spoke 1, and between the HUB and Spoke 2—have been successfully established and are fully operational:
The following key parameters are observed:
- Traffic Selectors:
- Local: WAN IP address of the HUB / Spoke 1 / Spoke 2
- Remote: WAN IP address of Spoke 2 / Spoke 1 / HUB
- Encapsulated Protocol: GRE (Protocol 47), indicating that the IPsec tunnel is used to encapsulate GRE traffic
- Packet Counters: Both encrypted and decrypted packet counters are incrementing, confirming active, bidirectional traffic flow
- Transform Set: The negotiated transform set matches the configured parameters, ensuring the use of expected encryption and integrity algorithms (e.g., AES for encryption, SHA for integrity)
- Tunnel Status: The SA is in an active state, with no errors or drops reported, indicating a stable and secure tunnel
-
3. BGP Route Propagation
The BGP routing table can be verified using the command „show ip bgp“
HUB Output
Spoke 1 Output
Spoke 2 Output
Referring tot he below Network diagram:
In the routers outputs, can be noticed that:
- Entries marked with an “i” indicate routes received via iBGP from remote peers.
- Entries without an “i” represent the LAN of each router.
- Note: Each Spoke receives the LAN of the other Spoke via the HUB, which acts as an iBGP Route Reflector, redistributing routes between Spoke 1 and Spoke 2.
For all the routers, these BGP-learned routes are reflected in the main routing table, marked with a B. that we can see with the Command: „show ip route“
HUB
Spoke 1
Spoke 2
All the above confirms that BGP route propagation is functioning as intended.
4. DMVPN Status
With the Command: „show dmvpn“ we can see the DMVPN / NHRP status on the rputers
HUB Output
Spoke 1 Output
Spoke 2 Output
From the output above, we can observe the following:
- On the HUB: two active peers, corresponding to the two Cisco spokes (connected and operational).
- On each Spoke: one active peer, corresponding to the to Cisco HUB.
Notes:
On the HUB, one peer shows as "unknown" due to a pending BGP configuration for the Digi router, which is not yet completed at this stage.
On each Spoke, at this point, there is no yet site to site traffic that would bring up a second DMVPN peer correspondign the other Spoke.
5. Testing
To validate the DMVPN network, the following connectivity tests are performed:
Spoke 1 to HUB
A ping is initiated from a PC on the Spoke 1 LAN to a PC on the HUB LAN and the result is successfull:
This confirms that LAN-to-LAN communication between Spoke 1 and the HUB is functioning correctly over the DMVPN network:
Spoke 1 to Spoke 2
A ping was initiated from a PC on the Spoke 1 LAN to a PC on the Spoke 2 LAN and the result is successfull:
This confirms that LAN-to-LAN communication between Spoke 1 and Spoke 2 is operational and that DMVPN shortcut routing is working as expected:
DMVPN and Ipsec Status after Spoke to Spoke traffic
As a further verification, After initiating the ping from Spoke 1 to Spoke 2, the DMVPN stsatus on Spoke 1 can be checked again with the command "show dmvpn":
This shows that A second peer entry appeared, indicating that a direct tunnel between Spoke 1 and Spoke 2 was dynamically established.
Also the IPsec SAs can be checked again on Spoke 1 with the following result:
Further Information
Related Video: [link]
Next KB of the series: [link to part5]
Introduction and KB/Video Index: [link to KB - 0 that contains all video/kb list and links]
Last updated:
Jul 14, 2025