Sun Jan 09, 2022 4:35 pm
IPsec-encrypted IPIP tunnels with OSPF seem the easiest to configure to me. For the Site C-Site A connection, you cannot use the automatically created IPsec configuration for IPIP encryption because it doesn't support NAT traversal, you'd have to configure it manually - the peer at site A must be set to passive and the policy must be generated dynamically. If the public IP behind which Site C is connected is not static, you'd either have to modify the remote-address of the IPIP tunnel using a script or you'd have to use L2TP/IPsec instead.
Indeed, L2TP on all links would be even better as it allows to avoid any MTU issues, but I hazily remember someone had a problem to run an L2TP client and L2TP server simultanously, so for a ring with an odd number of nodes this could be a problem. So it might require some extra effort to resolve this at one of the sites.
I also never tried to assign other than /32 addresses to L2TP interfaces, which is necessary to make OSPF use these tunnels. With just three sites, static routes with priorities would be sufficient, but the link availability detection of OSPF is much faster than anything you can get without OSPF.