The best thing to do is to let routing handle the failover, using the following steps:
Build a normal backup interface configuration.Then build a generic routing encapsulation (GRE) tunnel and source it from the local router to the remote router using loopbacks.Change the crypto map to encrypt the GRE peers rather than the IP networks. If you do it this way, the loopbacks are always up, and therefore so is the GRE tunnel. If the GRE tunnel is up, the traffic is encrypted.Using GRE removes the issue of stale security associations (SAs) existing and preventing the IPSec tunnel from re-forming after an interface hit.
For more information, see GRE over IPSec<