I have a route-based vpn from my site (Netscreen204) to a customer site (Fortinet) . They want a second, backup tunnel in case of failure, and will be using the Fortune there too.
The only thing I don't quite get is how best to set up vpn monitor. Can I set up a loopback interface that can ping some destination in their domain? Does that loopback have to be from the IP range that I specified in the proxy-id locally?
I answered this. vpn monitor has to be setup using IP addresses that are in both proxy-id address ranges. So, yes, the loopback has to be from the IP range specified in the proxy-id.
The idea is to NOT be pinging the tunnel interfaces. You're interested in reachability between networks or "encryption domains".
Make sure to check "optimize" and "rekey" as well. For the failover tunnel, just make sure that the metric and the preference greater than the default, or at least greater than the primary route.
Optimizing means that if there is traffic on the line, then it won't ping.
This is the way to do it when one side is ScreenOS, the other is a different manufacture.