Hi
Thanks for that but change hasn't made difference still not ecncrypting traffic . I did a clear crypto session on both routers.
Weirdly routing say traffic is going down the tunnel. But sh int tu0 shows no traffic and a traceroute shows the traffic bypassing the tunnel. Don't see any traffic on the tunnel interface

Building configuration...

Current configuration : 4032 bytes
!
! Last configuration change at 07:36:20 UTC Mon Sep 13 2021
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE-2
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash sha384
authentication pre-share
group 20
crypto isakmp key uh&8H,[PbZH&&/}ffD.\LeNZG4a"L!-n address 2.1.1.1 255.255.255.252
!
!
crypto ipsec transform-set MyLab1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile MyLab1
set transform-set MyLab1
!
!
!
!
!
!
!
interface Loopback0
ip address 63.130.130.1 255.255.255.255
!
interface Tunnel0
ip address 5.5.5.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel destination 2.1.1.1
tunnel protection ipsec profile MyLab1
!
interface GigabitEthernet0/0
description LAN interface
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description LAN interface
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.10
description Desktop
encapsulation dot1Q 10
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router bgp 65001
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 65000
!
address-family ipv4
redistribute connected
neighbor 1.1.1.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.10.100.0 255.255.255.0 5.5.5.1
!
ip access-list extended MyLab1
permit ip 10.1.1.0 0.0.0.255 10.10.100.0 0.0.0.255
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^CC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end

CE-2#sh ip route 10.10.100.10
Routing entry for 10.10.100.0/24
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 5.5.5.1
Route metric is 0, traffic share count is 1
CE-2#
CE-2#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2.1.1.1 port 500
Session ID: 0
IKEv1 SA: local 1.1.1.1/500 remote 2.1.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

CE-2#sh run int tu0
Building configuration...

Current configuration : 187 bytes
!
interface Tunnel0
ip address 5.5.5.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel destination 2.1.1.1
tunnel protection ipsec profile MyLab1
end

CE-2#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.1.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0xAB03D945(2869156165)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x2E39D960(775543136)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4314202/2182)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xAB03D945(2869156165)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4314202/2182)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Hi

 

thanks that worked. So is this just the vaguries of CML Lab or IOS config. What is the difference between stipulating the interface rather than the IP address of the interface. 

Similarly the key peer address being 0.0.0.0/0 rather than the specific peer?

Interesting, I mentioned for you to check routing earlier that it looked like BGP was advertising it out the physical interface.  Didnt you check it then?

Apologies
I must have missed your reply and read the reply relating to changing the static route next hop from the ip address to the tunnel interface. I presume then this prevents a recursive look-up.