sorry once you place the "tunnel protect" command on the tunnel traffic using the tunnel is encrypted;
you can use policy routing to avoid routing the already encrypted traffic through the tunnel... but why would you want to do that?
from a management and configuration standpoint its fine to have everything go through the tunnel. on a router with a hardware crypto engine its really not much overhead... if anything policy routing would ad more overhead than adding ipsec to already encrypted traffic.
you should uprade the router to 12.4 so you can use dynamic policy routing. policy routing can now be configured to use track objects, and availability checks of the next hop. in your case i would policy route all ssh/https encrypted data around the tunnel (not much overhead here) and fallback to another path if necessary. evaulate the following configuration and let me know if you have any questions-
route-map vlan10-policy permit 10
match ip address MPLS-USERS-TO-VERIZON
set ip next-hop verify-availability 10.0.1.22 10 track 2
track 2 ip route 188.8.131.52 255.255.255.255 reachability
Here, I'm tracking Verizon is sending me a route on R2, and this route is sent on to R1 where the policy route is configured.
in your case i would run an IP SLA ping, and track that. If that succeeds dont take the dmvpn, if it fails take the dmvpn, or vice versa depending on your overall goal.
My concerns about pbr are on the hub routers. If I use pbr only in spoke router, I would have asymmetric routing on hubs sites, because they would send returning traffic thru the tunnel.
On the other side, configuring PBR on the hub sites would be very complex and not scalable. There are 2 hub routers and they are in 2 different sites and these sites themselves are connected thru 2 other routers and 3 links.
Anyway, I didn't know about dynamic pbr. I think it will be useful for a couple of problems I have here.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...