The vRouter provides the ability to maintain connectivity through one IPsec tunnel by using a pair of vRouter with VRRP. When one router fails or is brought down for maintenance, the new VRRP master router restores IPsec connectivity between the local and remote networks.

When configuring High Availability VPN with VRRP whenever a VRRP virtual address is added to a vRouter interface, you must reinitialize the IPsec daemon because the IPsec service listens only for connections to the addresses that are present on the vRouter when the IKE service daemon is initialized.

For a pair of vRouter routers with VRRP, the standby router does not have the VRRP virtual address that is present on the device during initialization because the master router may not have that address present. Therefore, to reinitialize the IPsec daemon when a VRRP state transition occurs, run the following command on the master and backup routers:

interfaces dataplane interface-name vrrp vrrp-group group-id notify