Thanks DG,
And regarding this design, I have three questions to add if possible to add:
1-Do you think is better to connect local controllers through VPN or maybe the regular way through a Master - local IPSec tunnel creating the routing so that auth goes straight to the central site and local traffic locaclly?
2- What benefits would you get by configuring it in either way?
3- When connecting locals through VPN to a central redundant Master using VRRP, what redundancy options can we put into de locals and how does it work when tone of the locals goes down?
Thanks so much for your assistance!
Martin