I'm working on an IPSec implementation and I'm wondering if my ideas are sound.

Basically, I have to terminate IPSec tunnels from customers over the internet and over our own broadband network. Because the customers are both on and off-net, I'm trying to simply hang a security gateway cluster (2 VXRs in HA configuration) off some obscure part of my network as opposed to have the cluster directly in the traffic stream. I guess this product could be dubbed "Wholesale IPSec".

The VXRs in question have only 1 interface each. The interface is hanging off of the core network element so it is reachable from anywhere and because the traffic could end up anywhere once decrypted it needs access back into the core network.

Initially, I tried to implement 2 VLANs; 1 for the IPSec termination (with the crypto-map applied to it) and 1 for access back to the core network. The problem with that was because both VLANs came from the core network, and both interfaces were in EIGRP back in the core, my gateways think that they can reach the next-hop for the decrypted ipsec packets from either vlan. This topology didn't work well. To conform with the K.I.S.S. theory, I want to avoid having to do eigrp route-maps to surpress some routes from being visible via the IPSec vlan on the gateways as I want to keep the network configuration as simple as possible.

My thinking and testing thus far have made me realize that the attempt I've made at a scalable, from-any to-any solution for all occasions may need some tweaking.

Not really sure what I'm asking for here. Perhaps if there is anyone out there who can make heads or tails out of what I've tried to articulate here, they can pipe up and tell me if I'm crazy or not :) Otherwise, if anyone can provide any thoughts or references to wholesale VPN, I'd appreciate it.