I have L2TP/IPsec tunnels between multiple sites (all of them are on dynamic ip …)
like this, all of those have site2site VPN setup.
siteA-----siteB----siteC
|__________________|
Currently I have a completely static setup but am thinking of using OSPF.
Is it possible to have an alternative route between sites combined with ipsec (tunneling) policies?
So far I can tell it’s impossible to create same policies with different SAs.
I’d gladly use transport mode and then slap an ipip/gre tunnel but dynamic IP makes this very complicated.
Any suggestions?
L2TP/IPSec fully supports dynamic IP on the remote peers.
Run IPSec in transport mode, secure the L2TP tunnel with it, use generate-policy on the IPSec responder (L2TP server).
Use a script on remote peers to change the IPSec policy when the WAN IP changes.
Look in my sig, its covered in my presentation towards the end.