your configuration looking great but you are missing some points which cisco recomend

ip mtu 1400

tunnel key 0

for reference see link below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/47541-dmvpn-ezvpn-isakmp.html

HTH

kazim

hi,

you're missing the tunnel key <key> command on both hub and spoke routers (MAIN and CLIENT).

both should reference to same key number.

could you also try to using the interface name instead of an IP address for your tunnel source?

make sure both can ping each other.

tunnel source GigabitEthernet0

Try creating loopbacks with private IP address and static routing configured.

Issue a ping and show commands below and kindly post the output:

show ip nhrp

debug tunnel

Hello

Does the IPsec/gre work without NHRP being configured?
Do you have reachability between the tunnel endpoints before applying IPsec and NHRP?

I would suggest if you not going to use dynamic routing, Then make your static routes more specific and specify the traffic that you want be encrypted point to go over the tunnel

ip route x.x.x.x y.y.y.y tunnel 0
 

Also trying applying the following on both hub/spoke

Int tun 0
Ip mtu 1400
ip tcp adjust-mss 1360
tunnel key 0
 

res

Paul