Hmmm... it makes sense...
The remote endpoint of the VPN (fw2's upstream interface, x.y.z.101) IS in the OSPF database.
AS External Link States Link ID ADV Router Age Seq# CkSum Route Tag <snip>
x.y.z.101 x.y.z.247 188 0x8000468f 0xbe03 E2 x.y.z.101/32 0<snip>
It seems logical that IPSec packets are to be routed through the GRE tunnel...
Okay, I added a static route on drpgw1 towards x.y.z.101 to go through my default gw.
And IT WORKS! No more strange ISAKMP packets, and OSPF hellos arrive to fw2 through the tunnel.
That was the problem, thanks.
One more question though: How can I filter incoming routes from OSPF? Static route is not an acceptable solution for me, because the ER-X has to be mobile, and its external interface uses DHCP, so I can't hardcode the next-hop into teh config...
