We have a few clients that we establish VPNs with. The ones that use Juniper routers for VPNs want to establish a failover configuration where our VPN would dynamically route over a VPN to their secondary peer address. Their secondary peer address is on their own backup internet circuit.
They have no problem with making the failover dynamic on their side.
We have to manually change a static route to point to their secondary peer address as the gateway for their internal network before the traffic takes the secondary path. Since this client is on the other side of the world, this involves waking the oncall engineer in the middle of the night which is inherently a kludgey process.
Here's our config. I'm open to suggestions. These IP's are fictitious of course and we proxy route the public IP thru the internet firewall to enable the public loopback. Inside and outside VPN router interfaces are privately addressed.
The routes we have to change to route to their secondary peer would be these statics:
no ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route 192.168.1.0 255.255.255.0 b.b.b.b
10.1.x.0 and 10.1.y.0 are our local networks.
crypto map CryptoMap local-address Loopback0
crypto map CryptoMap 180 ipsec-isakmp
description VPN to client - both peers required!!!
set peer a.a.a.a
set peer b.b.b.b
set security-association lifetime kilobytes 4096
set transform-set Transform
set pfs group2
match address Client-networks
ip address 126.96.36.199 255.255.255.0
crypto map CryptoMap
ip route 192.168.1.0 255.255.255.0 a.a.a.a
ip route a.a.a.a 255.255.255.0 [firewall]
ip route b.b.b.b 255.255.255.0 [firewall]
ip access-list extended Client-networks
permit ip 10.1.x.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.1.y.0 0.0.0.255 192.168.1.0 0.0.0.255