Here is the scenario. We have a hub and spoke point-to-point T1 infrastructure to our remote offices, obviously converging at our HQ. We have brought in DSL connections to each remote office as well, and plan to offload HTTP traffic through the DSL. We also want to use this DSL connection for a Site-to-Site VPN back to HQ if/when the T1 fails.
We are using Cisco 2600-series routers for the T1 links. We want to purchase Cisco 871 routers for the remote offices to provide firewall/vpn services.
Our Cisco routers hosting the T1 connections talk to each other through EIGRP. We plan on using route redistribution for RIP so the Cisco 871 (default IOS doesn't do EIGRP) can get these routes when the T1 is up and route the appropriate traffic over it. When the T1 fails, the routes will dissappear from the RIP advertisements and the Cisco 871 will stop sending corporate traffic to the 2600 router and hopefully start to use its Crypto map to send that traffic. We want the VPN to be 100% idle until the T1 goes down, in fact, it would be best if the VPN never even dialed until it was needed.
Here is the question, when a crypto map exists for a certain destination network in a Cisco device, is it smart enough to NOT use the crypto map for that network when it is also receiving routes from a dynamic routing protocol for the same network? Can you set administrative distances on crypto traffic?