I'm trying to create a seamless failover setup for testing with OSPF and IPSec between two or more routers. The goal is to have two internet connections, one with MPLS and one over the standard internet. Since MPLS is secure and private already, I don't want to run an IPSec tunnel over that to avoid overhead and latency, but should the MPLS network fail, I do want to secure the traffic going over the public internet.

I do have an OSPF setup working in my test lab now where if a link goes down, it automatically swaps traffic over to the backup connection, and once service is restored puts it back on the primary link. This is done by using EoIP tunnels between each router and running OSPF on them. The next piece to the puzzle is working in IPSec over the "public" network only without using NAT (once again avoiding overhead), that is where it is breaking down for me. I have the IPSec policies in place, and instead of only putting traffic on the backup when the primary link fails, the IPSec tunnel kicks in and sends everything down that link, completely avoiding the "MPLS" network.

Any suggestions on what I could to do to work around this? Or do I have to breakdown and use NAT to accomplish what I want?