High Level Overview
To explain ADVPN it is useful to contrast it with the two main alternatives - Hub & Spoke and Full Mesh.
In a Hub & Spoke network one site is deemed the Hub, with all other sites - Spokes - connecting directly to the Hub. In a Full Mesh all sites connect to all other sites.
ADVPN starts as Hub & Spoke, with one site deemed the Hub - but all Spokes can directly connect by getting connection details from the Hub.
Using ADVPN reduces the number of IPsec tunnels that need to be maintained by each site - as they only need to have persistent connects to the Hub and will have temporary connections to the other Spokes - as required for traffic.
A common use case is a VoIP deployment, where Spokes will need to directly connect to each other for calls.
Comparing a Full Mesh, Hub & Spoke and ADVPN in terms of a VoIP system is useful, so let’s do that…
First, there are n sites and each site has only one outbound connection (DIA or MPLS).
In a Full Mesh, all sites are persistently connected to each other. So each site has (n - 1) IPsec tunnels. VoIP connections can be quickly made between sites, because the routing is persistently in place.
In a Hub & Spoke all Spokes have 1 IPsec tunnel - back to the Hub, and the Hub has (n - 1) IPsec tunnels. VoIP connections between two sites must route through the Hub. This can lead to some unoptimized paths, as two sites geographically close could be sending traffic to a geographically distant Hub.
In ADVPN all Spokes have 1 persistent IPsec tunnel - back to the Hub, and the Hub has (n - 1) IPsec tunnels, until two Spokes need to complete a call. When a new VoIP call is initiated the traffic will initially be sent to the Hub and routed to the other Spoke, then the Hub will provide details for the two Spokes to connect directly.
Second, there are n sites and each site has two outbound connections (DIA or MPLS) with IPsec connections setup to be fully redundant.
In a Full Mesh, all sites have four IPsec connections to all other sites. I believe that would make the math 4(n - 1), per site.
In a Hub & Spoke all Spokes have 4 IPsec tunnels back to the Hub, and the Hub has 4(n - 1) IPsec connections to the Spokes.
In ADVPN all Spokes have 4 IPsec tunnel back to the Hub. They will bring up 4 tunnels to each other Spoke as required.
Why 4 tunnels instead of 2? Because each site has 2 outbound connections, that will make 2 endpoints at each end of the connection. To have these fully redundant Hub link 1 will need to connect to Spoke link 1 and Spoke link 2, the same with Hub link 2.
So there are 4 connections.
This applies to the Full Mesh as well, greatly compounding the number of IPsec tunnels in a Full Mesh with two Internet connections at each location.