Another option you can try is specifying multiple peer addresses in the IKE Gateway. What happens there is it will choose the first gateway, and perform IPSec negotiations to that IP. If DPD heartbeats are successfully being sent between the two, the VPN will stay up, and failover will not occur. However, once DPD fails, then it will trigger a negotiation to the second IP (since the first IP is considered down).
Example:
gateway P1-gw {
ike-policy P1;
address [ 172.22.145.194 172.22.145.195 ];
dead-peer-detection {
always-send;
interval 10;
}
external-interface ge-0/0/0.0;
}
In addition to this, you need to make sure you have establish-tunnels immediately configured, so that when the failure occurs, interesting traffic will get sent through the tunnel, and builds the IPSec tunnel to the second peer.
Warning: There is one gotcha with this. The fail over mechanism may work, and the VPN traffic will pass on the backup. However, once the primary connection is re-gained, it will not fail back. This is because there is no preempt mechanism with this feature. The only way the fail back will occur is if the secondary connection loses DPD, and hence force a failover back to the original.