How to failover static ipsec vpn tunnels? I have a network with resilient gateways whereby Customer sites use a default gateway to reach the internet edge routers and the primary route for traffic uses a lower metric. ipsec tunnels are initiated from vpn concentrators behind the edge routers and are statically configured to the destination tunnel endpoints which are 3rd party data centers. I am not able to use a dynamic routing protocol with the 3rd party. !Network Topology The problem is that the peering address range that the 3rd party is using periodically changes and brings down the primary tunnel and a manual switch to the secondary tunnel is being cumbersomely carried out. 1. Can how can I most efficiently failover between tunnels in this scenario if the destination IPs are not reliable for the static ipsec configuration? 2. How would I pre-empt the primary tunnel once the endpoint becomes available?

One solution is to use Performance routing (PfR) on the gateway routers. PfR can test connectivity to each data center and then route traffic to whichever one is responding. So if a tunnel goes down, PfR will automatically route traffic through the other tunnel to the other data center.

PfR can do this by pinging (or using IP SLA) each of the data centers. If the London tunnel fails, PfR will route traffic through the New York tunnel, and vice versa.

I would like to give you a configuration, but I need to see more details about your network. In the meantime, you can look at a couple of things:

<

<

Here's a video if you're more of a visual learner.

<