Dynamic Multipoint Virtual Private Network

Last updated October 15, 2025

Dynamic Multipoint Virtual Private Network (DMVPN)^[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers, Huawei AR G3 routers,^[2] and Unix-like operating systems.

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to statically pre-configure all possible tunnel end-point peers, such as IPsec and ISAKMP peers.^[3] DMVPN is initially configured to build a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes; no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes are dynamically built on demand without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.^{[ citation needed ]}

Technologies

Next Hop Resolution Protocol, RFC 2332
An IP-based routing protocol, EIGRP, OSPF, RIPv2, BGP or ODR (DMVPN hub-and-spoke only).^[4]
Generic Routing Encapsulation (GRE), RFC 1701, or multipoint GRE if spoke-to-spoke tunnels are desired
IPsec (Internet Protocol Security) using an IPsec profile, which is associated with a virtual tunnel interface in IOS software. All traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)

Internal routing

Routing protocols such as OSPF, EIGRP v1 or v2 or BGP are generally run between the hub and spoke to allow for growth and scalability. Both EIGRP and BGP allow a higher number of supported spokes per hub.^[5]

Encryption

As with GRE tunnels, DMVPN allows for several encryption schemes (including none) for the encryption of data traversing the tunnels. For security reasons Cisco recommend that customers use AES.^[6]

Phases

DMVPN has three phases that route data differently.

Phase 1: All traffic flows from spokes to and through the hub.
Phase 2: Start with Phase 1 then allows spoke-to-spoke tunnels based on demand and triggers.
Phase 3: Starts with Phase 1 and improves scalability of and has fewer restrictions than Phase 2.

References

↑ Cisco engineers. "Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)". Cisco. Cisco. Retrieved 24 September 2017.
↑ Huawei DSVPN Configuration
↑ Kurniadi, S. H.; Utami, E.; Wibowo, F. W. (Dec 2018). "Building Dynamic Mesh VPN Network using MikroTik Router". Journal of Physics: Conference Series. 1140 012039. doi: 10.1088/1742-6596/1140/1/012039 . ISSN 1742-6596.
↑ DMVPN Design Guide: Using a Routing Protocol Across the VPN
↑ DMVPN Design Guide: Routing Protocol Configuration
↑ DMVPN Design Guide: Best Practices and Known Limitations

External links

Cisco DMVPN

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Cisco2006-1] Cisco engineers. "Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)". Cisco. Cisco. Retrieved 24 September 2017.

[2] Huawei DSVPN Configuration

[3] Kurniadi, S. H.; Utami, E.; Wibowo, F. W. (Dec 2018). "Building Dynamic Mesh VPN Network using MikroTik Router". Journal of Physics: Conference Series. 1140 012039. doi: 10.1088/1742-6596/1140/1/012039 . ISSN 1742-6596.

[4] DMVPN Design Guide: Using a Routing Protocol Across the VPN

[5] DMVPN Design Guide: Routing Protocol Configuration

[6] DMVPN Design Guide: Best Practices and Known Limitations

[1]

[2]

[3]

[4]

[5]

[6]

Dynamic Multipoint Virtual Private Network

Contents

Technologies

References

External links