I have a remote site that has a 2851 currently with a single ISP and VPN site-to-site back to my HQ. I would like to add a second ISP at the remote site for fail-over as the Internet connection at the location is somewhat unstable. My HQ is fully redundant already with dual ISPs and eBGP. To comply with corporate policy I tunnel all traffic back to HQ for inspection, content filtering, SSL decryption, etc. I'd prefer to use a tunnel interface with this setup as I can do more with ACLs and security opposed to crypto-maps.
Is it possible in the IOS to do the following?
- Establish a site-to-site tunnel using ISP1 and aggressive mode (works easier at HQ when 2 ISPs are invloved) back to HQ.
- If ISP1 fails detect and switch over to ISP2.
- Re-establish the VPN tunnel with ISP2 back to HQ.
- Detect ISP1 is back up and flip back.
I could do this with 2 routers and HSRP but that would involve changing the way things work at HQ with the routing and I would like to avoid that if possible to not introduce more changes. Any thoughts on how to do it would be appreciated. Thanks in advance.