Hi guys,

There is a company with three sites. There is a microwave ring among them. There is also a leased line between SiteA and SiteB. All sites must see each others.

SiteA:
Microwave (192.168.191.2)
Leased line with SiteB
Public Internet

SiteB:
Microwave (192.168.191.3)
Leased line with SiteA

SiteC:
Microwave (192.168.191.4)
Internet behind NAT

If the microwave connection fails then SiteC should reach SiteB via SiteA (leased line)
What would be the most efficient solution to achieve redundant VPN connection among the sites?

IPsec-encrypted IPIP tunnels with OSPF seem the easiest to configure to me. For the Site C-Site A connection, you cannot use the automatically created IPsec configuration for IPIP encryption because it doesn't support NAT traversal, you'd have to configure it manually - the peer at site A must be set to passive and the policy must be generated dynamically. If the public IP behind which Site C is connected is not static, you'd either have to modify the remote-address of the IPIP tunnel using a script or you'd have to use L2TP/IPsec instead.

Indeed, L2TP on all links would be even better as it allows to avoid any MTU issues, but I hazily remember someone had a problem to run an L2TP client and L2TP server simultanously, so for a ring with an odd number of nodes this could be a problem. So it might require some extra effort to resolve this at one of the sites.

I also never tried to assign other than /32 addresses to L2TP interfaces, which is necessary to make OSPF use these tunnels. With just three sites, static routes with priorities would be sufficient, but the link availability detection of OSPF is much faster than anything you can get without OSPF.

So even if there was any issue with L2TP client and L2TP server running at the same device, it's not there at least in 6.47.10. Also attaching a /24 address to an L2TP interface works as expected.