How do IPsec Tunnels work when bgp is configured

I have the following design, where I have ibgp and ebgp configured, I have RR client at Pcore towards pe1 and pe2.
Redistributing connected everywhere in BGP [please ignore vrf terminology, not configured yet.]
On CE, I have allows-in, configured, which works well. reachability is end-to-end,

Ping works from CE1 to CE2, but when sourced from eth1/0 on ce1 towards 192.168.25.1 does not work, but normal ping works between CE1 and CE2.

I have an IPsec tunnel configured, and activated on CE1 and CE2, WAN interface. facing the isp PE1 and PE2.

Any reason why this wouldn’t work?
does the tunnel mode matter?
I have not configured IPsec on the ISP network!, Im unable to see why when sourced from eth1/0 iinterface it wont work. but ping from eitherside works.

Hello Vivek

First of all, when you say “CE2” I assume you mean the device labeled “CE1-CustA-RemoteSite-Banglore” in the diagram, correct? Just wanted to make sure that’s a typo in the diagram, as it should read “CE2.”

You say that If you simply ping from CE1 to 192.168.25.1 this ping is successful. When you ping in this manner, the source IP used is the exit interface, specifically G0/0 with an IP address of 6.6.6.6. (Take a look at this NetworkLessons note to find out more about how a router chooses the source IP address when pinging.) Since this is successful, this means that all routers along the path are informed of the 6.6.6.0/29 address.

Now if this same ping fails when using the 10.10.10.1 source address of E1/0, this means that somewhere along the path, the 10.10.10.0/24 network is unknown, and the packet is being dropped. Now because the previous ping was successful to 192.168.25.1, this means that the failing ping actually reaches its destination, but the echo reply is dropped somewhere.

In order to further troubleshoot this, I suggest you examine how the 10.10.10.0/24 network is being advertised throughout the topology. I would begin at the CE2 device and check its routing table to see if the 10.10.10.0/24 network is in the routing table. If it is, start going back to PE2, P-Core, and PE1 to see where the problem is.

Once you determine where the routing has gone wrong, you can then begin troubleshooting how you are advertising this network into the topology. Let us know how you get along!

I hope this has been helpful!

Laz