I am puzzled about part of the original post. It tells us that "I have only L3swith 3650 that is not support GRE to build the remote neighbor tunnel". It then asks about using an ipsec tunnel. What would create the ipsec tunnel? 

The main question of the post is about establishing BGP routing over the ipsec. And there are several aspects to consider about this. A normal ipsec site to site vpn does not support multicast so routing protocols like OSPF or EIGRP that use multicast would not work over a standard ipsec tunnel. But BGP does not use multicast and so should not have a problem running over a standard ipsec site to site vpn.

There are several options for running dynamic routing over ipsec site to site vpn. A GRE tunnel in conjunction with ipsec would allow OSPF or EIGRP. And certainly would allow BGP. A newer approach (and a bit easier to configure) is VTI tunnel. This would support OSPF or EIGRP or BGP.

So in general it should not be a problem to run BGP over a site to site vpn. In the particular case of the original post (with only 3650 switch) I do not see how it would work without some additional network equipment being added to the environment.

Hello Richard,

Thanks for your help and sorry for creating confused topic.

Actually L3 switch 3650 that I have it is an ipservices license which is not suppot Tunnel interface configuration.

The thing is the switch can use IPsec with tunnel mode.

So I'm just in doubt about using it to set BGP peer over Internet. Because I searched in the Internet I found only using GRE or VTI tunnel which I understand that it can carry out many routing protocols.

But I has a limit using the GRE or VTI tunnel.

Hope it clear.

Why you want protect bgp with ipsec ?

I don't mean to protect the BGP with IPsec.

I just want to use the tunnel to peer the BGP, but my L3switch is not suppot tunnel configuration.

That comes to IPsec tunnel mode that I can use only.

Ok 

But why 

Is peer is multi hop from this sw?

Do you want to use loopback as source?

Yes it is a multihop connect via internet. And yes I think to use loopback as a peer neighbor IP.

Try this solution

Bgp with nat to override routing in interent.

https://www.google.com/amp/s/www.noction.com/blog/nat-and-bgp-explained/amp

I agree that the better solution would be to use a GRE tunnel. But the original poster indicates that this is not a viable option. I think the next best solution would be something like VTI (assuming that this platform supports that option - but we do not know if it does). But that is not the question that the original post asks. So let us deal with the question asked in the original post - can you run BGP over an ipsec site to site vpn? I assert that the answer is yes you can run BGP over an ipsec site to site vpn.

But I think that we also need to look a bit beyond that question. If it is possible to run BGP over ipsec site to site vpn, is it a good idea to do this. I suspect that the answer to the follow up question is that no it is not a good idea to run BGP over the ipsec site to site vpn. If we run BGP over the ipsec then all of the BGP based Internet traffic would want to run over that connection. If we were using one of the tunneling protocols it would be simple to route the Internet traffic over the tunnel. But with a simple ipsec site to site vpn how do you set up the routing logic, and how do you set up the crypto map to carry the Internet traffic over the vpn? Ultimately I believe that the ipsec tunnel is not a good option for this environment.

Hi, 

I don't concern about the internet access as I have the link for it.

below is a simple diagram to see that what I want to do.

I want to peer both core switch with BGP to route their private network.

I understand the tunnel is the easy way to do but the limitation. And I only see IPsec tunnel mode can be used.

Once trying to set the tunnel configuration in switch I alway get this message.

"%Tunnel interfaces are not user configurable." 

Thanks for the additional information. In this case you would know what networks/subnets are likely to be advertised and could configure the crypto map to process them. So it looks to me like this solution could work. I am surprised that a switch that does not support GRE tunnels would support ipsec site to site vpn. But the question in the original post was whether it would work to run BGP over an ipsec site to site vpn and I believe that the answer to that is yes BGP should run over an ipsec site to site vpn.

The point is my L3 switch is not support Tunnel configuration because I have only Ipservices license.