Couple of questions.
the key server ip address should be public ??? or actuall tunnel interface on the hub?
also, what should the ACL for encryption look like to encrypto traffic between tunnels? or actuall traffic between sites.
lets say tunnel network is 192.168.20.0/22
where 192.168.20.1 is a hub
192.168.20.12 is a spoke
192.168.20.16 is a spoke
172.20.0.0/22 is network behind hub
172.20.12.0/22 ans 172.20.16.0/22 is network behind spokes