VPN S2S With Public VIF Enabled

Hello ,

Hope is all good,

My Answer will Assume that the Internet Service Provider IP Address Range you are using for the VPN, you don't own it so you are not advertising them using the public VIF & you are using just the default route for the internet line .

The issue appears to be from the fact that the AWS Public VPN IP Range is being advertised from the Public VIF. Consequently, your Router (CPE) tends to prefer the Public VIF as an exit interface (if there is no specific route defined). the Source IP of the tunnel will be from the Range of the ISP Range. where AWS will, recognizing that this source is not in the Owned Range and, filters this traffic received from the public VIF, resulting in the VPN tunnel consistently remaining down when the Public VIF Is UP.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#routing-policies

To address this challenge, I recommend implementing a specific route on your CPE towards your Internet Service Provider for the AWS Public VPN IP address. This will allow your CPE to explicitly route traffic destined for the AWS Public VPN IP Range through your Internet connection.

Please reply back if my assumption is wrong and provide the VPN logs you captured