[c-nsp] BGP problem on IPSec links

[Peter Rathlev]

On Mon, 2009-03-23 at 23:50 +0100, zarenks wrote:
> I wonder if anyone had experienced the problem I have noticed with 
> dynamic routing (BGP) running over IPSec link.
...
> I decide to use VTI (Virtual Tunnel Interface) configuration instead
> of IPSec+GRE to support dynamic routing.
> 
> Untill I use the OSPF as a routing prot. there is no questions about
> the functionality and connectivity.

So running OSPF on the PE-CE-link gives you full connectivity?

> The BGP session is established correcty, and I can see all the
> prefixes correctly redistributed....., but....
> 
> I can not access the Customer VPN network (say: HQ) from the LAN
> network on that CE (source ping, source traceroute fails)
> The same situation occures if I try to access a LAN network placed 
> behind the CE from HQ site. (or other CE site)
> 
> It is strange, because from any point of customer VPN I can access the
> CE WAN interface but no LAN.
> At glance it looks like the IPSec has some problems with encapsulation
> of traffic sent via BGP but in the same time, there is no problem to 
> show all necessary prefixes in routing tables at both sides (CE and
> PE).

BGP is purely control-plane, so the forwarding of traffic has nothing to
do with this. BGP feeds the routing table (RIB) which in turn feeds the
forwarding table (FIB).

How does the next-hop appear in the RIB of the PE and the CE?

> If I only try to manualy configure (on PE) the STATIC entry for the 
> CE-LAN network, everything works fine as expected.....well, but this
> is not the big challenge :-)

You wouldn't happen to use summaries in the PE? This could lead to
problems when removing labels and forwarding via "regular" RIB lookups.
As a rule of thumb the LFIB prefixes announced via BGP should match the
real routes in an MPLS VPN network. (I'm not saying this can't work,
just that it could lead to interesting scenarios.)

Regards,
Peter