Hi @BigPalo, This is what i feel, i feel you may face little trouble with this configuration You have a default route through tunnel and have a tunnel monitoring with fail over in primary and wait-recover in secondary. and if you dont have a static route to remote peers other that through tunnel, consider following scenarios 1- primary tunnel-monitor is up - everything works you wont face any issues, 2 - primary tunnel monitor is down - it makes tunnel disable and removes the route, second tunnel will become up and will have a default route through secondary tunnel. as you may not have a static route other than this to remote peer, primary monitoring might be keep on trying to rekey through seconday tunnel which may not be successful. what if your secondary tunnel aldo down now, as you have default monitoring(wait-recover), this tunnel will try to recover and route will be still there. So i feel you should add a static route to remote peers not through tunnel, and no need of tunnel monitor in secondary as if first one succesfully rekeys, it will add a lower metric route.
... View more