@marcelosb
Hi,
I have switched to Policy-based mode for tunnels. I gave up on the VTI mode.
Policy-based mode concentrates traffic on a single interface, and is therefore less flexible. However, it does not require a static route and enables failover. It is configured as follows, in tunnel phase 2:
For a tunnel between A (AWS for me) and B (pfsense gateway) :
VPN > IPsec > Tunnels > P1 > Add P2
Mode: IPv4 tunnel
Local Network: <B private network>
Remote Network: <A private network>
In this mode, to manage failover, the DPD (Dead Peer Detection) option in phase 1 must be enabled. And, for examples, Delay = 3 and Max failures = 1.
Routing is done at the tunnel level, which automatically pushes routes in this mode.
Simply configure the firewall to allow incoming traffic from the A network to the B network.
The firewall rules will be defined on the IPsec interface. In Policy-based mode, this interface groups the two tunnels together. This way, when one tunnel goes down, other tunnel is already authorized by the firewall.