I am using a Mikrotik virtual appliance in Amazon Web Services running v6.39.2. I terminate a AWS VPC VPN (from another AWS region) on this Mikrotik. The AWS VPN consist out of 2 IPSec tunnels (for redundant purposes) and there is a know issue where one of the tunnel policies on the Mikrotik is always marked as invalid. I was hoping that the policy priority fix in the v6.39.2 release would fix this issue but it still seems to be there (perhaps I misunderstood the details of the fix). Does anyone know of a way to get around this problem? Is there a possibility to script something that will mark the invalid policy (priority 0) as valid if the primary tunnels (policy priority 1) fails and reverses the process when the primary is back up? Of has anyone another way to automatically deal with this?
Policy priority has different purpose.
As you already mentioned, you can use scripts to check reachability of first tunnel, if it fails, disable first policy and enable second.
For anyone interested - I found a way to work around this issue that works for me. To clarify - I am using the Mikrotik CHR virtual appliance in AWS in a small VPC dedicated as a routing hub to terminate IPSec tunnels from other AWS regions. The purpose of the routing hub is to interconnect AWS regions - functionality that does not currently exist in the AWS stack. For redundancy purpose I place one CHR in two different AZs. For my solution, the two CHRs does not have to be BGP peers. From the remote region's VPC, I create two VPN tunnels - one to each CHR. I only bring up ONE IPSec tunnel in the VPN connection (due to the other one being marked as invalid on the Mikrotik). Because I establish two tunnels to two different CHRs, its already redundant to I do not need both tunnels in the VPN. BGP takes care of the rest. Below the script to automate the config - repeat for each VPN tunnel.