Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual page 181

3.
4.
ipsec option dpd
tunnel destination backup
NOTE: If you use a FQDN to specify the IPSec tunnel destination backup, the tunnel
is not initiated by the ERX router. However, the router does respond to negotiations
for this backup tunnel.
host1(config)#virtual-router vrA
host1:vrA(config)#
Create an IPSec tunnel, and specify the transport VR.
host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router
default
host1:vrA(config-if)#
Specify the address or identity of the tunnel destination backup endpoint.
host1:vrA(config-if)#tunnel destination backup identity
branch500.customer77.isp.net
Use to enable dead peer detection (DPD) on the router. DPD is also known as
IKE keepalive.
You configure DPD on a per-virtual router basis.
Both peers must support DPD.
Example
host1(config)#ipsec option dpd
Use the no version to restore the default, which disables DPD.
See ipsec option dpd.
Use to specify the address or identity of the remote IPSec tunnel endpoint that
is a backup tunnel destination. When DPD detects a disconnection between the
E Series router and the regular IPSec tunnel destination, the router redirects
traffic to the tunnel destination backup, and vice versa.
You can use either the IP address or fully qualified domain name (FQDN) to
identify the backup IPSec tunnel, however you must use the same type of identity
that is used to specify the regular tunnel destination.
For signaled IPSec tunnels in cable or DSL environments, use the FQDN to
identify the tunnel destination backup, which does not have a fixed IP
address.
The identity string can include an optional user@ specification preceding
the FQDN (this is also known as a user FQDN).
Examples
host1(config-if)#tunnel destination backup 10.10.11.15
Chapter 5: Configuring IPSec
155
Configuration Tasks