MikroTik

I have problem with IPSEC and routing towards AWS.
I have setup like in attached picture: two routers connected via IPSEC to AWS and third router below. Dynamic routing on AWS links is used. Link from Router A to AWS should be primary and from Router B is backup link.
All is good but when link from Router C to Router A goes down, Router C starts to forward traffic to 10.8.0.0/16 via router B and problem starts. Communication is broken and no connection to AWS. It looks like Router B starts to encrypt traffic from 10.10.10.0/24 to 10.8.0.0/16 according to IPSEC Policy, but it sends out this encrypted traffic via GRE interface to Router A because routing table have route from router A about network 10.8.0.0/16.
On other vendors usually IPSEC Policy is associated with WAN interface and if traffic doesn't exist WAN it doesn't get encrypted, but Mikrotik logic is different.
What could be the solution or possible workaround for this?

And yes, when I disable encryption policy on Router B everything starts to work, but that is not a solution, because I need redundancy with two links.

I haven't had enough experience with complicated IPsec designs to know if this is normal behavior or not. Someone else may have a better workaround, but I had an idea that might work. You could possibly create a mangle rule that applies a routing mark if the packet is ipsec encrypted, to force it to be routed directly to AWS instead of across the GRE tunnel.

mducharme thanks for suggestion, but that will not work, as that brakes the redundancy. I don't need static IPSEC links, I need redundant routed connection. Routing is actually working as it should, the problem is with encryption. Traffic needs to be encrypted only when it leaves WAN interface and not on GRE interface.

Well, I'm far from being an IPsec expert, but I could imagine that it could be done with dedicated policies for the local address side.
I just had a brief look at the manual here but it might be worth a try.

Good luck,
-Chris

Created script on Router A and Router B which disables AWS related IPSEC policy on router if AWS networks in routing table are coming from GRE interface and enables policy if route is not seen from GRE

I'm on thin ice here too, because I don't know much about BGP and don't know if it changes something. But once the original packet to 10.8.x.x gets encrypted, destination of ESP packet is no longer 10.8.x.x, but whatever is in policy's sa-dst-address, and it should be reachable via Router B's WAN, shouldn't it?