Which route is pointing towards the tunnel ? 

Post the config of your router, without seeing that, it is just guesswork...

Hi,

Please see the configuration. before static route (not default route) tunnel is up and i can ping loopback interface to interface.my network is work properly under BGP transport.

When my route apply to tunnel ,tunnel is down.

my-r1#sh run
Building configuration...

Current configuration : 9290 bytes
!
! Last configuration change at 21:36:59 SGD Wed Nov 21 2018
!
version 15.5
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname my-r1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
clock timezone SGD 8 0
!
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
subject-name cn=r1.my.local
revocation-check none

fqdn none
rsakeypair my-ca 2048

ip cef

!
!
crypto ikev2 proposal aes-cbc-256-proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy1
match address local 10.10.10.1
proposal aes-cbc-256-proposal
!
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint my-ca
!
!
!
!
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile VTI-IPSecProfile
set transform-set ESP-AES-SHA
set ikev2-profile profile1
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
! Incomplete
set peer 13.13.13.13
! access-list has not been configured yet
set transform-set ESP-AES-SHA
set pfs group14
set ikev2-profile profile1
match address 103

!
interface Tunnel1

ip address 1.1.1.1 255.255.255.0
tunnel source GigabitEthernet9
tunnel mode ipsec ipv4
tunnel destination 13.13.13.13
tunnel protection ipsec profile VTI-IPSecProfile
!

interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8

duplex auto
speed auto
!
interface GigabitEthernet9
ip address 10.10.10.1 255.255.255.240
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route 20.20.20.0 255.255.255.0 Tunnel1

router bgp 65300
no synchronization
bgp log-neighbor-changes
network 10.1.2.0 mask 255.255.255.0
neighbor 10.10.10.2 remote-as 25
neighbor 10.10.10.2 description ISP Peer

no auto-summary
ip access-list 103 10.1.2.0 0.0.0.255 20.20.20.0 0.0.0.255
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

my-r1#

Hello,

post the config of the other side as well...

You need to make sure that the route to the other end of the tunnel is not through the tunnel itself, that is when recursive routing occurs...

Hi,
Other side it PA firewall. Router is also run BGP peer with ISP also.After that PA firewall .PA firewall to router is using Static route. 

ip route 13.13.13.13 255.255.255.255 10.10.10.2

In the config that you posted there are two static routes. One is the static default route and the other appears to be a route for the remote network reached through the tunnel. I do not see issues with these routes. Can you give us the specifics of the static route that you are attempting to configure that causes this problem?

I do see a couple of things in the config that I would ask about:

- your outside interface Gig9 is shutdown. Is that on purpose?

- your configuration of BGP has a network statement for 10.1.2.0 255.255.255.0 but I do not see anything in the configuration about that network. What is it and where is it? 

- it looks like you originally intended to do ipsec with a crypto map and then changed to use vti. You might want to remove the crypto map and acl 103 from the config.

HTH

Rick

Hi All,
I can solved now. I removed romte interface subnet in my static route.Last time i point the whole route include remote interface.So my tunnel leaned itself. Thanks for your help. and I would like to know 

can i use share proposal ,transformset and policy. Please see below config sample and advice me.

crypto ikev2 proposal aes-cbc-256-proposal1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy
match address local 2.1.1.1
proposal aes-cbc-256-proposal1
!
crypto ipsec transform-set TS-ESP-AES-SHA esp-aes 256 esp-sha256-hmac 
mode tunnel
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote address 123.1.1.1
identity local address 2.1.1.1
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

!
crypto ipsec profile IPSecProfile
set transform-set TS-ESP-AES-SHA
set ikev2-profile profile2

interface Tunnel2
description For branch to AWS
ip address 1.1.1.5 255.255.255.252
tunnel source g9
tunnel mode ipsec ipv4
tunnel destination 123.1.1.1
tunnel protection ipsec profile IPSecProfile
!
!
crypto ikev2 profile profile2
description IKEv2 profile
match identity remote address 12.2.2.2 
identity local address 2.1.1.1
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

!
crypto ipsec profile IPSec
set transform-set ESP-AES-SHA
set ikev2-profile profile2

interface Tunnel2
ip address 172.16.100.1 255.255.255.252
tunnel source 2.1.1.1
tunnel mode ipsec ipv4
tunnel destination 12.2.2.2
tunnel protection ipsec profile IPSec

ip route 10.10.10.0 255.255.255.0 Tunnel1
ip route 20.20.20.0 255.255.255.0 Tunnel2