@Abbys: luckily I still have the netstat output from the time the link was down:
[2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0It's exactly the same now that the tunnel is up - except BGP has also installed a route to our AWS address space (10.30/16)
[2.4.4-RELEASE][admin@fw1.int.example.net]/root: netstat -rn | grep 169.254.22 10.30.0.0/16 169.254.22.149 UG1 ipsec500 169.254.22.149 link#27 UH ipsec500 169.254.22.150 link#27 UHS lo0(The interface is actually ipsec5000, it's just been truncated in netstat output)