SSL VPN to AWS

Greetings,

     I am tasked with setting up AWS from two different locations. For the most part it works, except when trying to reach AWS via the SSL VPN.  From the primary site SSL VPN will hairpin into the AWS tunnels and the BGP will send the traffic back as required.  I suspect this is because there is a 0.0.0.0 route from that location to AWS.  

    At issue is the second site.  The SSL VPN traffic will hairpin into the AWS tunnel from that location but will not return.  The problem as I see it is the subnet that the SSL VPN is on is a policy based flow.  No entry in the route table.  Since there isn't a static or connected route for the SSL VPN in the route table BGP has nothing to redistribute.   AWS doesn't know how to send the traffic back to the second location.  

    I need to clean up the routing on the first location, but that will break their connection to AWS via the SSL VPN.

    I have tried putting static routes on AWS to send the traffic back, but AWS doesn't seem to care about those, just the BGP routes.   I have added the SSL VPN subnet as a known network on the Fortigate; however, without a static or connected route in the route table the Fortigate won't tell AWS the network exists.  

    I have tried to add a static route on the fortigate, but that breaks everything.   

    AWS Support just keeps telling me they don't see the SSL VPN network in the BGP table. They seem to go brain dead when I point out the static route exist and should take precedence over the Dynamic routing. 

     I can't believe I am the only one facing this issue, so any suggestions that would get SSL VPN traffic to AWS and back would be appreciated.

Regards,

Pete