Unbelievably this is nearly impossible to find on the internet, as most DMVPN setups use transport mode to save the over head of an extra IPSec Tunnel IP Header. That method will not work with CG-NAT when two spokes share the same public IP, and I do not think it works with PAT/NAPT as I do not think an extra UDP header gets added when IPsec is in transport mode.

Would love to see a build a up of phase 1 DMVPN using this IPsec tunnel mode.