We have two ISPs, each of which has assigned us a bank of public IP addresses.
Let's call the first ISP "VZON" and the second ISP "CCAST".
Telephony (VoIP) traffic goes out the VZON gateway; all other data traffic goes out the CCAST gateway.
There is a site-to-site VPN connecting a remote site via the CCAST gateway. We would like that VPN to be "more or less highly available".
Since that's a fuzzy term, I will define what we mean by it. If the CCAST gateway connectivity fails (perhaps CCASTS's router fails, or someone accidentally pulls the electric plug) we would like a "standby" VPN to come online automatically using the VZON gateway; and once the failure on the CCAST gateway has been fixed, we would like the VPN to revert automatically to use CCAST gateway.
Does this scenario require two hardware firewalls at the remote site? Or can a single firewall (let's say some CISCO SRX model) configure two VPNs, using different gateways on the other end, and treat one of them as a "standby", bringing it online only when it detects that the remote peer is "dead" (by using Dead Peer Detection or some other method).
P.S. If a single firewall with a primary and a "standby" VPN is not possible, is it possible to have two concurrent VPNs, but have one of them get 90% of the traffic and the other 10%, again using only a single firewall at the remote site, and no additional devices, but when the connectivity on the "main" VPN fails, the load shifts automatically to 100% for the "ancillary" VPN.
