Many large IP Security (IPsec) virtual private networks (VPNs) use a hub-and-spoke topology to reduce the number of connections required for full connectivity. But even a hub-and-spoke IPsec VPN network can be difficult to scale for any of the following reasons:

• Hub configuration can become exceedingly complex when there are many spoke devices because VPN endpoints are statically configured. This problem is exacerbated in networks when addressing is frequently changed.
• A full set of tunnels consumes a great many IP addresses because every set of tunnel endpoints requires a separate IP address space.
• The hub becomes a single point of failure for the network.
• The hub must process all network traffic and can become a processing bottleneck.

A dynamic multipoint VPN improves scaling for hub-and-spoke networks by allowing IPsec tunnels to be dynamically added as needed, without configuration. This greatly simplifies hub configuration and reduces the need for IP address space. In addition, after the hub-and-spoke network has been dynamically built out, network spokes can learn to communicate directly with each other thereby reducing the burden on the hub.