The extremely helpful article:
formatting link
mentions that the long-standing anomaly that required crypto maps to be applied to tunnel interfaces in addition to the interfaces through which the encapsulated traffic flows has been eliminated as of 12.2(13)T. This raises the question: if you now apply a crypto map to a tunnel interface does it do what you would expect absent the historical anomaly, i.e., encrypt traffic inside the tunnel? In other words, does the crypto map command applied to a tunnel interface now have the same semantics as on all other interface?
I suspect the answer to my question is ``no'' since otherwise most of the complexity of the rest of the DMVPN implementation would be unnecessary: you could simply use a crypto map with a wildcard ACL on the tunnel interfaces and not have to worry about the dynamic external addresses. But I can dream...
Dan Lanciani ddl@danlan.*com