DMVPN - IPsec encryption order of operations
When employing IPSec in conjunction with a DMVPN topology, it is important to understand the proper order of operations that take place when it comes to GRE, NHRP, and encryption.
Encryption takes place before the multipoint GRE or the NHRP protocols are applied. Encryption, provided by IPSec, happens before the encapsulation of data into multipoint GRE and the NHRP protocol. In other words, data is encrypted first by IPSec to ensure confidentiality, then encapsulated in multipoint GRE for routing, and finally, NHRP is used for address resolution.
This means that the GRE headers and the NHRP additional information remain unencrypted.
Links:
https://forum.networklessons.com/t/dmvpn-over-ipsec/1316/69?u=lagapidis
https://networklessons.com/cisco/ccie-routing-switching/dmvpn-over-ipsec/