You can define multiple addresses for a peer to connect as back-up when the IPSec tunnel to the primary headend device fails. this is an example:
crypto map VPN 10 ipsec-isakmpset peer 126.96.36.199 !--- The primary headend. set peer 192.168.1.9 !--- The secondary peer.match address 111set transform-set ESP-3DES
crypto map VPN 10 ipsec-isakmp
set peer 188.8.131.52
!--- The primary headend.
set peer 192.168.1.9
!--- The secondary peer.
match address 111
set transform-set ESP-3DES
Make sure to adjust the routing so the traffic is sent accordingly.
The secondary device is contacted if the IPSec tunnel to the primary device fails to connect.
Note: This is also applicable to PIX Firewalls.
For more information, refer to the Creating Static Crypto Maps section of Configuring Security for VPNs with IPsec.