Is it mandatory to create separate vrf

Could you copy paste config here without any confidential info (put *** instead of public IP and keys/password)?

sure as of now I am testing the environment so I will share all the details

when I configure like this ,only IPSEC is coming up in AWS .  GRE,BGP not coming up

! Amazon Web Services

! Virtual Private Cloud

!
! Your VPN Connection ID : vpn-0b180c327f2466303
! Your Virtual Private Gateway ID :
! Your Customer Gateway ID : cgw-0a63f82b8052a45f2
!
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
!
crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-128
integrity sha1
group 2
exit

crypto ikev2 policy POLICY1
match address local 172.16.3.68
proposal PROPOSAL1
exit

crypto ikev2 keyring KEYRING1
peer 3.219.197.120
address 3.219.197.120
pre-shared-key p30vusQjxrSFLfIKq4q7Ir7QzOoUhe02
exit

crypto ikev2 profile IKEV2-PROFILE
match address local 172.16.3.68
match identity remote address 3.219.197.120
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
lifetime 28800
dpd 10 10 on-demand
exit

! #2: IPSec Configuration
!
crypto ipsec transform-set ipsec-prop-vpn-0b180c327f2466303-0 esp-aes 128 esp-sha-hmac
mode tunnel
exit

!
crypto ipsec profile ipsec-vpn-0b180c327f2466303-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-0b180c327f2466303-0
set ikev2-profile IKEV2-PROFILE
exit

crypto ipsec df-bit clear

crypto isakmp keepalive 10 10

crypto ipsec security-association replay window-size 128

crypto ipsec fragmentation before-encryption

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
!
interface Tunnel1
ip address 169.254.28.230 255.255.255.252
ip virtual-reassembly
tunnel source 172.16.3.68
tunnel destination 3.219.197.120
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0b180c327f2466303-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1379
no shutdown
exit

! --------------------------------------------------------------------------------

! #4: Border Gateway Protocol (BGP) Configuration
!
! 'Network' command will be used here to advertised CGW network to AWS via BGP. An example for a CGW with the prefix 192.168.100.0/24 is provided below:

router bgp 6520
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 169.254.28.229 remote-as 64512
neighbor 169.254.28.229 ebgp-multihop 255
neighbor 169.254.28.229 activate
network 192.168.100.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
exit

tested agaig but same issue 

!
crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy POLICY1
match address local 172.16.3.33
proposal PROPOSAL1
!
crypto ikev2 keyring KEYRING1
peer 75.2.10.10
address 75.2.10.10
pre-shared-key mXEjONAEzhwAoDBmQCvxcVpRFx9VC1F0
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match address local interface GigabitEthernet1
match identity remote address 75.2.10.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
lifetime 28800
dpd 10 10 on-demand
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp keepalive 10 10
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-090ba4c79f71fdd76-0 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-090ba4c79f71fdd76-0
set transform-set ipsec-prop-vpn-090ba4c79f71fdd76-0
set pfs group2
set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Tunnel1
ip address 169.254.218.38 255.255.255.252
ip tcp adjust-mss 1379
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 75.2.10.10
tunnel protection ipsec profile ipsec-vpn-090ba4c79f71fdd76-0
ip virtual-reassembly
!
interface VirtualPortGroup0
vrf forwarding GS
ip address 192.168.35.101 255.255.255.0
ip nat inside
no mop enabled
no mop sysid
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
ipv6 address dhcp
ipv6 enable
ipv6 nd autoconfig default-route
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 172.16.3.159 255.255.255.192
negotiation auto
no mop enabled
no mop sysid
!
router bgp 64520
bgp log-neighbor-changes
bgp graceful-restart
neighbor 169.254.218.37 remote-as 64512
neighbor 169.254.218.37 ebgp-multihop 255
neighbor 169.254.218.37 transport connection-mode active
!
address-family ipv4
network 192.168.100.0
neighbor 169.254.218.37 activate
exit-address-family
!
iox
ip forward-protocol nd
ip tcp window-size 8192
ip http server
ip http secure-server
!
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.3.1
ip route 0.0.0.0 0.0.0.0 172.16.3.168
ip route 10.1.1.0 255.255.255.0 GigabitEthernet1
ip route vrf GS 0.0.0.0 0.0.0.0 GigabitEthernet1 172.16.3.1 global
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
username ec2-user
key-hash ssh-rsa 732BB6D4FB14665C4D6F049795EDE42F ec2-user
ip ssh server algorithm publickey ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp521
ip scp server enable
!
ip access-list standard GS_NAT_ACL
10 permit 192.168.35.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
transport input ssh
line vty 5 20
transport input ssh
!
!
!
!
!
!
!
app-hosting appid guestshell
app-vnic gateway1 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.35.102 netmask 255.255.255.0
app-default-gateway 192.168.35.101 guest-interface 0
name-server0 8.8.8.8
end

-------------------------------------------

ip-172-16-3-33#show interface tunnel1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 169.254.218.38/30
MTU 9922 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 172.16.3.33 (GigabitEthernet1), destination 75.2.10.10
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet1
Set of tunnels with source GigabitEthernet1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vpn-090ba4c79f71fdd76-0")
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:46:30
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
160 packets input, 9600 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
518 packets output, 23744 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ip-172-16-3-33# show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 172.16.3.33 YES DHCP up up
GigabitEthernet3 172.16.3.159 YES NVRAM up up
Loopback0 10.1.1.1 YES NVRAM up up
Tunnel1 169.254.218.38 YES manual up up
VirtualPortGroup0 192.168.35.101 YES NVRAM up up
ip-172-16-3-33#show log | sec bgp
ip-172-16-3-33#show log | sec bgp
ip-172-16-3-33#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.3.33/4500 75.2.10.10/4500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/2807 sec

IPv6 Crypto IKEv2 SA

ip-172-16-3-33#show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 172.16.3.33

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 75.2.10.10 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 536, #pkts encrypt: 536, #pkts digest: 536
#pkts decaps: 164, #pkts decrypt: 164, #pkts verify: 164
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.3.33, remote crypto endpt.: 75.2.10.10
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xCF6B6504(3479921924)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF9A53A28(4188355112)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607983/787)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCF6B6504(3479921924)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607976/787)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
ip-172-16-3-33# ping 169.254.218.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.218.37, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ip-172-16-3-33#

Tunnel state
Tunnel number Outside IP address Inside IPv4 CIDR Inside IPv6 CIDR Status Last status change Details Certificate ARN
Tunnel 1 75.2.10.10 169.254.218.36/30 – Down May 16, 2024, 23:08:09 (UTC+05:30) IPSEC IS UP –

Bgp is Active state and again changing to idl state and this is vpn attachment in tgw.. do you know is there any other scenario how can I make active active communication towards two routers from tgw.