Feasible? Replace Cisco with EdgeRouter - dual WAN and VPN (Roadwarrior and Site-to-Site)

I purchased an ER-X to experiment with at home, and so far I'm impressed. I'm looking at some offices currently using older Cisco routers, and wondering if an EdgeRouter can replicate all of the functionality I need. I'll try to break this down into pieces.

Dual WAN with failover

• WAN1 and WAN2 have single static IPs
• separate ISPs / different gateways
• WAN2 (backup) is metered, so failover only

Multiple LAN/VLAN

• fairly simple (could include LAN, SERVER, DMZ, and GUEST)
• routing between LAN/VLAN as required
• (ideally) do NOT have guest traffic failover to WAN2

Road Warrior VPN

• presently using the old Cisco VPN Client, pre-shared-key and XAUTH with Radius
• would like to avoid 3rd party software (e.g., OpenVPN)
• needs to work from behind NAT
• L2TP/IPSec seems like the currently supported way to do this?
• IKEv2 looks like it might be the "better" way to do this going forward? (beta required: IKEv2)
• (ideally) road warriors could connect through WAN1 or WAN2

Site-to-Site VPN

• to support telework
• can put an EdgeRouter at the remote end
• remote end could be static, dhcp or pppoe
• (ideally) remote sites could connect through WAN1 or WAN2

IPSec (Hardware) Client Behind Main Router (see diagram below)

• This is a Cisco EZVPN client running on a Cisco IOS router
• no control over the VPN setup running on this box (though I *do* have access to the box)
• it can connect to multiple peer IP addresses (only 1 at a time)
• it works behind NAT (with caveats)
• presently, the "Main Router" in the diagram below is a Cisco IOS router. When it fails over to WAN2, the EZVPN client drops and won't reestablish. If I "clear ip nat translations" on the main router, the EZVPN client will reestablish.  (note: I only clear nat translations involving the EZVPN peers)
• presently, if the EZVPN Client tries to reconnect to a different peer, it fails until I "clear ip nat translations" on the main router.  (note:  I only clear nat translations involving the EZVPN peers)
• presently, I have this scripted on the Ciscos with a combination of sla's, tracking objects, and EEM scripts  (can go into detail if necessary)
• If replacing the "Main Router" with an EdgeRouter, what happens to IPSec clients (like EZVPN) behind it when failover happens?   Will I need to / can I script the clearing of nat translations?