I have been playing around with DMVPN in a virtual lab. I have everything configured but have noticed some oddities. For starters the output of ‘show vpn ipsec sa’ does not seem right with a dual hub configuration nor is there anything in ‘show vpn ike sa’ so not sure how one is supposed to validate ipsec connectivity? The bigger problem I am noticing is when simulating IPSec connectivity issues (it happens in the real world) that traffic is routed out the ‘internet’ as clear text GRE when the IPSec tunnel is down. If this was to be put into production across the actual internet this would be a HUGE security breach. In a DMVPN scenario how do you stop GRE from routing out to the ‘internet’ when IPSec is not established? And how can you properly verify all IPSec is established, especially with multiple hubs?