Configuring IPsec Tunnel Redundancy
You can configure IPsec tunnel redundancy by specifying a backup destination address. The local router sends keepalives to determine the remote site’s reachability. When the peer is no longer reachable, a new tunnel is established. For up to 60 seconds during failover, traffic is dropped without notification being sent. Figure 1 shows IPsec primary and backup tunnels.
Figure 1: IPsec Tunnel Redundancy
To configure IPsec tunnel redundancy, include the backup-destination statement at the [edit interfaces unit logical-unit-number tunnel] hierarchy level:
 | Note: Tunnel redundancy is supported on M Series and T Series routers. The primary and backup destinations must be on different routers. The tunnels must be distinct from each other and policies must match. |
For more information about tunnels, see Tunnel Properties.
