Can HSRP be used to set up a high-availability site-to-site VPN using two routers from different ISPs? If one ISP's connectivity fails, the VPN would be switched over to the other ISP transparently, and when the connectivity is restored, it would switch back?
....Router1 ----\
VPN HSRP firewall <->CLOUD...../ -> firewall --> LAN
\....Router2 ----/
HSRP by itself is going to be limited in terms of what it can achieve. It's nominally just a mechanism to allow a pair of routers to share a virtual MAC/IP in active/passive configuration. In the event that the active dies, the passive router takes over. By definition it's only handling outbound traffic.
It's possible to layer other solutions onto HSRP - so, for example, link tracking can be used so that the primary router drops its priority and allow the secondary to take over in the event that an upstream link (or route) is lost while both routers are still alive. To get to something approaching an HA solution you'd need to have some kind of mechanism on both routers that was actively checking the availability of the path between the router. Getting BGP routes from the upstream is certainly a start but ultimately if you can't demonstrate that traffic is actually passing you really don't know if you have connectivity. This would get you into scripting on the router, mechanisms of validating connectivity, etc. There are mechanisms within IOS / XE to do this (PfR and such) to allow you to put it together. Or, alternately, take a look at what's available with iWAN - which puts it all together (and some other useful stuff) to run over any combination of link types, etc.
