Here is something I have done in the past and works well. This will utilize one tunnel until there is a failure then fail over.
- Using @YifengLiu diagram above:
- setup the external ethernet interfaces for their respective ISP's
- Make sure your policies allow the traffic
- build first tunnel BLR-PAN eth 1/1 to AZ-PAN eth 1/1. Setup an IP address for each tunnel interface (makes troubleshooting easier)
- Setup OSPF between the two PAN's
- Verify adjacency
- verify route propagation
- Build the rest of the 3 VPN Tunnels:
- BLR-PAN eth 1/2 to AZ-PAN eth 1/1
- BLR-PAN eth 1/1 to AZ-PAN eth1/2
- BLR-PAN eth 1/2 to AZ-PAN eth 1/2
Then use OSPF to regulate the priority of the tunnels if you are getting asymetric traffic issues.
- BLR-PAN eth1/1 to AZ-PAN eth 1/1 normal Metric
- BLR-PAN eth 1/1 to AZ-PAN eth 1/2 metric 5000
- BLR-PAN eth 1/2 to AZ-PAN eth 1/2 metric 10000
- BLR-PAN eth 1/2 to AZ-PAN eth 1/1 metric 15000
This is highly simplified but should work if one of the ISP's goes down, OSPF will reroute automatically. You can use Policy Based Forwarding for the static routes between the VPN IP's and they can disable as required.
Hope that makes sense.