I'm still playing with AWS Hardware VPN :-) An AWS Hardware VPN is actually two VPNs; their idea seems to be that if one fails the other will still be there. The two VPNs terminate at different endpoints at the AWS end, but at the same endpoint on the MikroTik. Apparently in order to support route-based VPNs, AWS also provides "inside addresses", a pair for each VPN. The actual traffic to AWS has to be routed via the inside address at the AWS end. MikroTik has a bug in that it will not allow two IPsec policies that cover the same traffic. If you set up two VPNs and want to send the same traffic over both - which is what AWS expects you to do - one of the policies will be flagged "invalid". My workaround is to set up one policy for (say) 192.168.100.0/24 for one VPN, then two others for the other VPN, with each covering half the desired range: VPN1: 192.168.100.0/24 VPN2: 192.168.100.0/25 192.168.100.128/25 In order to send traffic to the right place, I also have two routes, one sending 192.168.100/24 via one inside address, the other sending the same traffic via the other inside address. This is all working fine (though I suppose I can't use 192.168.100.127 or 192.168.100.128). If I manually disable either VPN, traffic keeps going on the other - eventually, though it can take a few tens of seconds to reestablish while dead peer detection does its thing. Now to my questions at last :-) I can't test a VPN failure, because I can't drop either VPN at the ASW end. If one of the two VPNs did fail, what would happen? Will the MikroTik figure it out and not try to send packets up the dead one? Do I need to run netwatch and fiddle with the route metrics? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB