Juniper vSRX + AWS site-to-site VPN doesn't work with acceleration enabled.

Hi,

I am in the processes of bridging our legacy infrastructure to AWS using their site-to-site VPN.

I have observed that if the site-to-site has acceleration enabled ( "acceleration" is AWS's buzzword for anycast ) the tunnel doesn't come up. However if the VPN has acceleration disabled the tunnel comes up without any problems. From a technical perspective, "acceleration" usually dst-nats a public IP to a private one (So this could be the issue) otherwise everything should be the same.

Does anyone have this working? Does anyone have a clue what the issue could be?

This is the redacted config for the VPN:

set security ike proposal ike-prop-vpn-0bc9831-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-0bc9831-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-0bc9831-1 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-0bc9831-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-0bc9831-1 dh-group group2 set security ike policy ike-pol-vpn-0bc9831-1 mode main set security ike policy ike-pol-vpn-0bc9831-1 proposals ike-prop-vpn-0bc9831-1 set security ike policy ike-pol-vpn-0bc9831-1 pre-shared-key ascii-text [TOP SECRET KEY] set security ike gateway gw-vpn-0bc9831-1 ike-policy ike-pol-vpn-0bc9831-1 set security ike gateway gw-vpn-0bc9831-1 external-interface reth1.0 set security ike gateway gw-vpn-0bc9831-1 address [TOP SECRET IP] set security ike gateway gw-vpn-0bc9831-1 no-nat-traversal set security ike gateway gw-vpn-0bc9831-1 dead-peer-detection threshold 3 set security ipsec proposal ipsec-prop-vpn-0bc9831-1 protocol esp set security ipsec proposal ipsec-prop-vpn-0bc9831-1 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-0bc9831-1 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-0bc9831-1 lifetime-seconds 3600 set security ipsec policy ipsec-pol-vpn-0bc9831-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-0bc9831-1 proposals ipsec-prop-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 ike gateway gw-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 ike ipsec-policy ipsec-pol-vpn-0bc9831-1 set security ipsec vpn vpn-0bc9831-1 df-bit clear set interfaces st0.3 family inet address 169.254.221.34/30 set interfaces st0.3 family inet mtu 1436 set security zones security-zone trust interfaces st0.3 set security ipsec vpn vpn-0bc9831-1 bind-interface st0.3 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust host-inbound-traffic protocols bgp set security flow tcp-mss ipsec-vpn mss 1379 set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.221.33 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.221.33 peer-as 64602 set protocols bgp group ebgp neighbor 169.254.221.33 hold-time 30 set protocols bgp group ebgp neighbor 169.254.221.33 local-as 64704 

Thanks!