For anyone interested - I found a way to work around this issue that works for me. To clarify - I am using the Mikrotik CHR virtual appliance in AWS in a small VPC dedicated as a routing hub to terminate IPSec tunnels from other AWS regions. The purpose of the routing hub is to interconnect AWS regions - functionality that does not currently exist in the AWS stack. For redundancy purpose I place one CHR in two different AZs. For my solution, the two CHRs does not have to be BGP peers. From the remote region’s VPC, I create two VPN tunnels - one to each CHR. I only bring up ONE IPSec tunnel in the VPN connection (due to the other one being marked as invalid on the Mikrotik). Because I establish two tunnels to two different CHRs, its already redundant to I do not need both tunnels in the VPN. BGP takes care of the rest. Below the script to automate the config - repeat for each VPN tunnel.
Credit to:
http://forum.mikrotik.com/t/amazon-aws-vpn-a-working-configuration-example-and-bug/79770/1
http://rant.gulbrandsen.priv.no/amazon/mikrotik-aws-ipsec
http://biplane.com.au/blog/?p=406
http://gregsowell.com/wp-content/uploads/downloads/2010/03/gregsowell-mikrotik-routing.pdf
set global variables
:global RemoteLocation “Production US-East-1” ;
:global LocalPrivateIP “10.20.0.5” ;
:global LocalNet “10.20.0.0/24” ;
:global RemoteNet “10.40.0.0/24” ;
:global TunnelDesc “Production (vpn-********)” ;
:global AWSVPGIP “35.10.10.10” ;
:global Secret “odnefoirfjegoirjrjeorjg” ;
:global LocalBGPIP “169.254.4.2” ;
:global AWSBGPIP “169.254.4.1” ;
add local BGP IP address (169.254.4.2/30) manually !!!
create ipsec proposal
/ip ipsec proposal
add name=aws
auth-algorithms=sha1
enc-algorithms=aes-128-cbc
lifetime=1h
pfs-group=modp1024 ;
create ipsec peer
/ip ipsec peer
add comment=“$TunnelDesc”
address=$AWSVPGIP
local-address=$LocalPrivateIP
secret=$Secret
dpd-interval=10s dpd-maximum-failures=3
enc-algorithm=aes-128 lifetime=8h
nat-traversal=no ;
create ipsec policy for remote network
/ip ipsec policy
add comment=“$TunnelDesc”
proposal=aws
src-address=0.0.0.0/0 dst-address=$RemoteNet
sa-src-address=$LocalPrivateIP sa-dst-address=$AWSVPGIP
tunnel=yes
priority=1 ;
next line fixes the above source that gets added incorrectly for some reason
/ip ipsec policy set src-address=0.0.0.0/0 [find comment=“$TunnelDesc”] ;
create ipsec policy for BGP network
/ip ipsec policy
add comment=“$TunnelDesc BGP”
proposal=aws
src-address=0.0.0.0/0 dst-address=$AWSBGPIP
sa-src-address=$LocalPrivateIP sa-dst-address=$AWSVPGIP
tunnel=yes
priority=1 ;
next line fixes the above source that gets added incorrectly for some reason
/ip ipsec policy set src-address=0.0.0.0/0 [find comment=“$TunnelDesc BGP”] ;
create source-NAT
/ip firewall nat
add action=src-nat chain=srcnat dst-address=$RemoteNet to-addresses=$LocalNet ;
confgigure BGP instance
/routing bgp instance
set default client-to-client-reflection=no redistribute-other-bgp=yes ;
configure BGP peer
/routing bgp peer
add as-override=yes hold-time=30s name=“$RemoteLocation $AWSBGPIP” remote-address=$AWSBGPIP remote-as=7224 route-reflect=yes ttl=
default update-source=$LocalBGPIP ;
add network to advertise
/routing bgp network
add network=$LocalNet ;