Don't usually poke NANOG for a second pair of eyes, but got hit with an urgent need to get connectivity up on a small budget. I've run into a situation where I require multiple DMVPN spokes to be behind a single NAT IP (picture of things to come with CGN?) The DMVPN endpoint works fine behind NAT until a 2nd is added behind the same IP address. At that point the hub gets confused and I start seeing packet loss to the endpoints in a round-robin fashion. As far as I can see Cisco documentation says pretty clearly that each DMVPN spoke requires a unique IP address. Is there any way around this, or do I need to be looking at an alternative VPN solution? Hub config: ----8<---- description DMVPN bandwidth 100000 ip address 10.231.254.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp redirect ip tcp adjust-mss 1360 tunnel source ! removed tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN ----8<---- Spoke: ----8<---- interface Tunnel2 description DMVPN bandwidth 100000 ip vrf forwarding DMVPN ip address 10.231.254.10 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication ! removed ip nhrp map multicast ! removed ip nhrp map 10.231.254.1 ! removed ip nhrp network-id 1 ip nhrp nhs 10.231.254.1 ip nhrp shortcut ip tcp adjust-mss 1360 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile DMVPN end ----8<---- -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net