You can configure IPSec tunnel redundancy by specifying a backup destination address. The local router sends keepalives to determine the remote site’s reachability. When the peer is no longer reachable, a new tunnel is established. For up to 60 seconds during failover, traffic is dropped without notification being sent. Figure 6 shows IPSec primary and backup tunnels.
Figure 6: IPSec Tunnel Redundancy
To configure IPSec tunnel redundancy, include the backup-destination statement at the [edit interfaces unit logical-unit-number tunnel] hierarchy level:
-
backup-destinationaddress;
-
destination address;
-
source address;
 |
Note: Tunnel redundancy is supported on M-series and T-series routing platforms. The primary and backup destinations must be on different routers. The tunnels must be distinct from each other and policies must match. |
For more information about tunnels, see Tunnel Interfaces Configuration Guidelines.