I have two offices with on prem Fortigates (F100E) and a couple of VPCs on AWS.
There is a site to site IPsec tunnel between both offices (not relevant for this question) and then each office has an IPsec tunnel to AWS terminating at an AWS transit Gateway.
I was ok setting all of that up and all traffic is flowing correctly through each site.
What I'm not sure about is that AWS gives you two tunnels with different external IP addresses for redundancy. So each office has AWS tunnel one and AWS tunnel two. Obviously these both reach the same subnet / destination.
Initially I set them both up and then (incorrectly) made tunnel one the primary by giving it an administrative distance of 10 and made tunnel two secondary and gave it an administrative distance of 20.
This worked great including when the tunnel first failed over but then I realised AWS tunnels do NOT fail back they remain on the new tunnel until the next fail over event.
So initially it worked as both sides saw tunnel one as primary. Then tunnel one went down and it failed over to tunnel two nicely. The problem arose when tunnel one returned and the Fortigate started routing traffic down that due to the shorter route but AWS was routing traffic down tunnel two so both ends ended up with a different primary.
So I need to remove that problem so that both work interchangeably.
Is it possible to establish both tunnels to the same subnet (via different external IPs) with the same administrative difference as each other?
Will this cause problems?
There is documentation from Fortinet on connecting to AWS but it just says "now create the second tunnel in the same way".
The main reason I'm hesitant is that I'm not a networking person and I once worked with someone who I distinctly remember telling me that you should never set two routes to the same IP range with equal distance.
I'm sure there must be a lot of people who are using Fortigates to operate site to site VPNs into AWS. So I'd be keen to hear how you've set this up or how you think I should proceed in this situation.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.