I support a hub and spoke VPN topology consisting of a VPN 3005 on the hub end and varying IOS routers on the spoke end. For simplicity sake I will refer to the hub as Corp and the remote site in question as Remote. Corp edge routing is done by a 3640 mulithomed router configured with BGP - static routes only - for the purpose of redundancy over two separate ISPs and has functioned flawlessly with the BGP setup for more than a year. The remote in question initially was not configured for BGP but after a redundant connection was added we wanted to mirror our BGP configuration from Corp to Remote. Remote uses the same two ISPs as Corp and the BGP functionality works well on the 3725. We have a /24 segment which is redundant over both serial interfaces and is assigned an IP on interface F0/1. If I apply the crypto map to that interface then the VPN will not pass traffic through the tunnel.

There is only one crypto map profile configured on the remote and also just one LAN-2-LAN tunnel configured for Remote on the 3005 Concentrator at Corp. If the Crypto Map profile is applied to the F0/1 interface (BGP segment) then the tunnel is unable to pass traffic. If I apply the same Crypto map profile to either serial interface on Remote then the tunnel and traffic work fine. I always use the same Ike and IPsec session and the only change I make is to the IP address within the LAN-2-LAN on the 3005 and the interface to which the crypto map is applied on the IOS router side. Also, the Crypto map is never applied to more than one interface at a time on Remote and there is never a time that I do not get a ping reply from the BGP interface. Connectivity is good throughout and there are no configured access-lists that would interfere with the VPN traffic. When I apply the crypto map to the BGP interface the VPN session will be established but if I look at the session in the Concentrator it shows zero packets received. It seems as though there is no return traffic. Any thoughts?