[c-nsp] BGP problem on IPSec links

[zarenks]

Hi,

I wonder if anyone had experienced the problem I have noticed with 
dynamic routing (BGP) running over IPSec link.
I have traced the archived posts regarding the IPSec problems but could 
not find anything regarding my case.

There is a typical remote access site connected to MPLS-VPN cloud 
through IPSec tunnel.
I decide to use VTI (Virtual Tunnel Interface) configuration instead of 
IPSec+GRE to support dynamic routing.

Untill I use the OSPF as a routing prot. there is no questions about the 
functionality and connectivity.
Problem occures when the customer requires me to run BGP on link between 
CE and PE.

The BGP session is established correcty, and I can see all the prefixes 
correctly redistributed....., but....

I can not access the Customer VPN network (say: HQ) from the LAN network 
on that CE (source ping, source traceroute fails)
The same situation occures if I try to access a LAN network placed 
behind the CE from HQ site. (or other CE site)

It is strange, because from any point of customer VPN I can access the 
CE WAN interface but no LAN.
At glance it looks like the IPSec has some problems with encapsulation 
of traffic sent via BGP but in the same time, there is no problem to 
show all necessary prefixes in routing tables at both sides (CE and PE).

If I only try to manualy configure (on PE) the STATIC entry for the 
CE-LAN network, everything works fine as expected.....well, but this is 
not the big challenge :-)

Just after posting that mail I will try to find (maybe) the answer in 
section known-issues on cco regarding the 12.4T, but in the meantime, if 
someone on the forum knows the issue that causes that  problem, I would 
appreciate that kind of help.


Thanks in advance
zarenks