I'm currently doing battle with an AWS VPN (and many thanks to those people here who have helped me; I can't name names, but they know who they are). I've got it working, but there are a couple of things I don' t understand. One thing that the AWS doco mentions is "tunnel interfaces" and it is clear from the various sample configurations for other platforms that the common way to do this is to set up a virtual interface at the ends of the tunnel. ASCII art coming up: REALIP REALIP ----------------------- VIP -------------------------------- VIP ----------------------- The tunnel proper is between the two real IPs; these are globally routable IP addresses. In my test setup, they are my routers outside address 1.2.3.4, and an Amazon address 2.3.4.5. Amazon also provides the two VIPs - which it calls "inside addresses" and suggests should be placed on "tunnel interfaces". I've just stuck them on the same interfaces as the real IPs, and it works fine. But is there some way to set up a virtual interface that would work the way Amazon seems to intend? It would be nicer not to have the outside interface festooned with private addresses. By analogy, look at a GRE interface. That's a virtual interface that forms a network with the other end of the GRE tunnel. Traffic can be routed across a GRE tunnel. I tried creating a bridge interface, but could see no way to associate it with the IPsec tunnel. EoIP, IPIP and GRE are about the only tunnel interface types I can think of of the top of my head, but they all require cooperation at the other end. AWS is fully automated - what you get is what you get. Am I not understanding IPsec, or not understanding RouterOS? Any ideas most welcome. Or pointers to good explanations :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB