Hello all,

I'm new here and also new to Mikrotik. We recently bought a RB3011 which I have configured with 3 VPN IPsec tunnels towards AWS.
At my end I just have one fixed IP addresses.
Based in the configuration document that AWS provides I set up the tunnels without issues, traffic is being tunneled and I can ping both sides.

For each VPN, AWS provides a total of 4 tunnels, two redundant site to site tunnels,and two redundant internal gateway IP starting with 169 (I think for BGP purposes)

So for one VPN I go 4 tunnels:
1. Site to site - Active, SA dst address: A
2. Site to site redundant - Invalid SA dst address: B
3. Internal Gateway 169 - Active, SA dst address: A
4. Internal Gateway 169 redundant - Active, SA dst address: B

First thing that confuses me is that I don't get how can tunnel 4 be up, while tunnel 2 is down. I'm fine with an active-passive configuration, but I would have expected tunnel 4 be down if 2 is down.

Trying to test redundancy, I bring down tunnel 1, and tunnel 2 will go up fast.
But the traffic will stop flowing. Seems like I have to manually bring down tunnel 3, then traffic starts passing through tunnel 4 all ok again.

So I conclude that tunnel 1 has to work with tunnel 3, and tunnel 2 has to go with tunnel 4, but I don't know how can I link their swapping, so they switch in pairs.

I really hope this is clearly explained, please someone can give me some direction to finish this configuration.

Regards!

Update: I read that there is a limitation to set up redundancy tunnels from the same peer IP, is this like this? That might be the reason why this policy is kept as invalid, because Im sharing the same IP as a terminator in my side and using 2 in the AWS side, is it like this?