I need help in configuring VPN failover for a bit exotic setup.
So, we have 2 sites: Site 1 and Site 2. And there are 2 links between sites: direct fiber (primary link) and Internet connection (backup link).
Site 1: Juniper SRX320. Primary (direct link) IP is 192.168.0.1 and Internet IP is 220.127.116.11.
Site 2: Sophos UTM9. This firewall supports only policy-based IPSec. Primary (direct link) IP is 192.168.0.2 and Internet IP is 18.104.22.168.
We have successfully configured the Policy-Based VPN between Sophos and Juniper using primary link (over the direct fiber). Now, we need this VPN tunnel to switch to the backup link (over the Internet) if the direct link fails. And here the problem begins.
Sophos can ping both remote IPs (192.168.0.1 and 22.214.171.124) and just replace the local/remote IPs in VPN tunnel configuration (from 192.168.0.2/192.168.0.1 to 126.96.36.199/188.8.131.52) if primary remote IP (192.168.0.1) fails.
Juniper's RPM monitoting, as far as I understand, does not allow to do such things. What is the best way to set up failover in this case then?
The only thing I could think of is create 2 Gateways and 2 VPNs (Primary and Secondary) on Juniper side: when Sophos switches the IPs on its side, the secondary VPN on Juniper side would establish the connection. But I believe there should be a more elegant solution for such scenario.