RouterOS <> AWS VPN - Asymmetric Routing problem

Hello folks!

I’ve recently set up on AWS an IPSec site-to-site VPN (Virtual Private Gateway, not the Transit Gateway) with my CCR2004 (v6.49.5).

AWS provide us with two tunnels per VPN connection so we can have redundancy on the connection. I’ve added both peers and its policies as you may see here:

 8   A  peer=peer-AWS-1,peer-AWS-2 tunnel=yes src-address=10.40.0.0/16 src-port=any 
        dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require 
        ipsec-protocols=esp sa-src-address=y.y.y.y sa-dst-address=x.x.x.x 
        proposal=proposal-AWS ph2-count=1 

 9   A  peer=peer-AWS-1,peer-AWS-2 tunnel=yes src-address=10.100.100.0/24 src-port=any 
        dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require 
        ipsec-protocols=esp sa-src-address=y.y.y.y sa-dst-address=x.x.x.x 
        proposal=proposal-AWS ph2-count=1 

10   A  peer=peer-AWS-1,peer-AWS-2 tunnel=yes src-address=10.100.90.0/24 src-port=any 
        dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require 
        ipsec-protocols=esp sa-src-address=y.y.y.y sa-dst-address=x.x.x.x 
        proposal=proposal-AWS ph2-count=1 

11   A  peer=peer-AWS-1,peer-AWS-2 tunnel=yes src-address=10.41.0.0/24 src-port=any 
        dst-address=172.30.0.0/16 dst-port=any protocol=all action=encrypt level=require 
        ipsec-protocols=esp sa-src-address=y.y.y.y sa-dst-address=x.x.x.x 
        proposal=proposal-AWS ph2-count=1

As you may see, each policy has the 2 peers which points to the VPN tunnels 1 and 2 respectively.

If I keep both peers enabled, the VPN doesn’t work with timeouts on the SA connections. After escalate it with AWS support, we were able to get the connection to work if I disable 1 of the peers in the peer tab. They told me that the reason it isn’t working is because AWS VPNs use asymmetric routing in order to have both tunnels up as AWS picks randomly which tunnel will receive response packets. I’ve searched and weren’t able to find what settings should I tweak in order to get the asymmetric routing enabled on MikroTik.

I found one article saying that asymmetric routing is enabled by default on MikroTik Routers and it may only be disabled by some settings made on IP > Settings. I’ve never touched that screen and have the default options:

 /ip settings> print
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: no
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0

Can someone shed a light on what I need todo to make this work?

Thank you!

Best regards,
Gutemberg

AWS IPSec tunnels are made to work with dynamic routing if you wan redundancy despite your onpremise hardware.

if you try to set up with static routing you will have always some kind of asymetric routing. Some setups just do not rise one of the two tunnels, complex one deploy dynamic routing to setup the routes in the vpn.

Best Regards,

Diego

PS: Take my statement like a point of view, not like is the only possibility

Thanks for the reply Diego.

I’ve tried to setup it with BGP before, but never had success as the tunnel never came up. I was on the latest v7 RourterOS but all the guides I’ve found were using v6.x then I had downgraded but still, no success on the AWS side. The I tried to use the regular policy-based routing which finally worked.

Do you have any precise guide for v7 or even v6 that works with BGP on AWS? Maybe that would solve my asymmetric routing situation as you said.

Thank you!

I’ve successfully made it work with BGP finally but the problem remain the same… Asymmetric routing with the two tunnels.

AWS expect only 1 SA pair per tunnel so packets can come and go both ways when needed. If we se the same policy to have 2 peers, it fail to send/receive packets and eventually the tunnel dies.

I do not have any example done with mikrotik, I have done with other hardware providers.

If you are sure that it is a SA issue, you could have made a wide policy that include all networks instead of separate policies and then filter allowed traffic with firewall rules.

I think that still be asymetric routing as aws said that works. When you got dynamic routing active usually is not an issue but depends on how much statefull is the configuration on the site.
I also do not remember if you will have both routes (for the vpn tunels) actives in v7 or only one route is active, both are on memory and if it fails the second will shown on FIB.

Does it make sense to you?

Best Regards,

Diego