We have a central site hosting an ERP application and several remote
sites connecting over IPSEC tunnels. Each site uses a unique private
class C subnet and a router providing NAT and IPSEC. By using multiple
ISPs at each site, we would like to build an architecture that:

1. Keeps telnet traffic to/from the ERP host running at low latency,
even under heavy network/VPN load
2. Provides redundancy for the VPN connections, so that we can lose
an ISP connection at any site and still provide access to the ERP
through an IPSEC tunnel

Point 1 sounds like a solution using traffic shaping, but can I
effectively shape traffic within the IPSEC tunnel (so that say, SMB
over IPSEC won't kill telnet over the same tunnel)?

Point 2 sounds quite tricky, and I'd love any suggestions people have
about doing highly available VPN tunnels.


Currently, our network looks like this (only one remote site shown):


Main Site Remote Site
192.168.0.2 +---------------+ +---------------+
192.168.30.2
192.168.0.3--|NAT/VPN router +--INTERNET--+|NAT/VPN router
|--192.168.30.3
192.168.0.4 +------+--------+ +-------+-------+
192.168.30.4
| |
+-----------IPSEC--------------+

Mony thanks,
Toby.