RPM IP Monitoring and IPSec VPN failover

[ Edited ]
‎05-26-2020 03:37 AM

Hi all,


I need help in configuring VPN failover for a bit exotic setup.


So, we have 2 sites: Site 1 and Site 2. And there are 2 links between sites: direct fiber (primary link) and Internet connection (backup link).


Site 1: Juniper SRX320. Primary (direct link) IP is and Internet IP is

Site 2: Sophos UTM9. This firewall supports only policy-based IPSec. Primary (direct link) IP is and Internet IP is


We have successfully configured the Policy-Based VPN between Sophos and Juniper using primary link (over the direct fiber). Now, we need this VPN tunnel to switch to the backup link (over the Internet) if the direct link fails. And here the problem begins.


Sophos can ping both remote IPs ( and and just replace the local/remote IPs in VPN tunnel configuration (from to if primary remote IP ( fails.


Juniper's RPM monitoting, as far as I understand, does not allow to do such things. What is the best way to set up failover in this case then?


The only thing I could think of is create 2 Gateways and 2 VPNs (Primary and Secondary) on Juniper side: when Sophos switches the IPs on its side, the secondary VPN on Juniper side would establish the connection. But I believe there should be a more elegant solution for such scenario.


Thank you.





Re: RPM IP Monitoring and IPSec VPN failover

‎05-26-2020 04:18 AM



Does Sophos box support DPD/IKE "dead-peer-detection"?

If yes then You can configure  DPD on boith sides, and on SRX side 1 gateway with 2 addresses like below:


set security ike gateway BLAH address [ ]


The second address will be used when the 1st does not answer DPD. 


More info here










Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements


Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !

Re: RPM IP Monitoring and IPSec VPN failover

[ Edited ]
‎05-26-2020 05:49 AM

Hi Alex,


Yes, Sophos supports DPD. But on Juniper side, I also have to define the external interface for the IKE Gateway:

set security ike gateway BLAH external-interface irb.xx

And this interface would be different for direct line and for the Internet connection...


Or this is not mandatory?