BGP over IPSEC using FRR

[buckeyedave]

I have an OPNsense fwl running 22.7.2 and FRR. I have configured an IPsec tunnel and have the security association established between the two ends. I can ping either end of the tunnel from the other. I also have a rule to allow all traffic across the IPSec interface. When I do a port probe for TCP/179 from the OPNsense device on each end and capture the packets, I see the TCP handshake established, and then a BGP Open message. However when I try to configure the neighbor using the tunnel address, the BGP log only shows an active state and a packet capture for the IPSec interface does not show any packets.

When entering the show bgp nexthop command this is the output:
Current BGP nexthop cache:
 10.2.0.240 invalid, #paths 0, peer 10.2.0.240
  Must be Connected

10.2.0.240 is the other end of the IPSec tunnel

Any help would be very much appreciated.

[mimugmail]

Is this a route based tunnel?

[buckeyedave]

Yes, it is a route based IPSec tunnel

[mimugmail]

Can you capture packets on the ipsec device and check the traffic please

[buckeyedave]

That is the interesting part. If I port probe from either OPN to the other end of the tunnel on TCP/179 I can see the TCP 3 way handshake complete and the next packet is a BGP Open message, however if I start a packet capture on the IPSec interface and then blip the BGP service, no packets are captured at all.