[c-nsp] Dual DSL VPN termination?

[Jay Hennigan]

We have a client with multiple remote sites connecting via various
flavors of DSL.  The remote sites connect back to a 3015 VPN concentrator
at HQ.  Remote equipment is a variety of Linksys and Cisco SOHO.

The customer now wants to bring a second DSL line into the remote sites
from a different provider in order to provide redundancy and ideally load
balancing.

We thought that the Linksys RV082 would be ideal for this as it has two
WAN interfaces and supports load balancing as well as IPSec.  Unfortunately
it appears that this will not allow two tunnels to the same inside network.
It also doesn't appear to allow one to tunnel Internet traffic back over
the VPN, but only offers split-tunneling.  Customer wants all Internet
traffic backhauled for content filtering and anti-virus.  Internet is fairly
low-usage, mostly VPN traffic.

Is anyone aware of a relatively inexpensive device that could be used on
the remote nodes?  As a minimum,

* Two outside and one inside ethernet interface

* Failover to the same host with two IPSec tunnels

* Force all user Internet traffic through tunnel (prohibit split-tunneling)

Nice to have:

* Load-balance the traffic

I'm considering an IOS router with a single FE interface and dot1q along
with a trunk-capable switch to do VPN-on-a-stick but this is a bit complex
and costly.  SOHO series to the best of my knowledge won't support the
backup WAN.

Also looked at HotBrick (www.hotbrick.com) but despite what it says on
their website they don't support failover or load balancing for VPNs,
only for Internet traffic.

--
Jay Hennigan - CCIE #7880 - Network Administration - jay at west.net
WestNet:  Connecting you to the planet.  805 884-6323      WB6RDV
NetLojix Communications, Inc.  -  http://www.netlojix.com/