Help vpn ipsec ha best practices

Hello,

I’m not sure about best practices, but I use the floating IP address from VRRP as the destination address in the VPN. When the routers switch roles, I have a script do a “restart vpn” that allows the new primary router to start up the VPN. The backup router will also try to start the VPN, but that fails because the backup router doesn’t own the IP address any more.

I suppose a better way might be to use the transition script to modify the configuration to enable/disable the VPN on transition. For that method, see this post (also includes my quick-and-dirty method).