I have two dedicated servers that I have configured to require AH and ESP between their (public) IP addresses and using racoon I've set up isakmp. The IPsec tunnel between them is working well - I can see that all traffic between them is encrypted (that is, tcpdump shows only AH and ESP header no matter what kind of traffic I'm sending between them).

Now, I'm a little paranoid that at some point something could happen and the setkey service that configures my security policy could end up off on both servers. Or perhaps something happens and someone flushes the security policy. And then all my traffic between the servers is unencrypted for weeks or months before someone (hopefully) notices.

Question: What can I do to avoid ever having the traffic between these two servers work unencrypted?

My half-brained solution: One way I thought of accomplishing this was to assign each of them a private IP (let's say 192.168.0.1 and 192.168.0.2 to keep it simple) and then have all my applications that need to talk to the other server use those private IPs rather than the public IPs and then make it so that those private IPs are only routable when the IPsec tunnel is up.

Questions: Is this a feasible way to do this? Would I need GRE? Or could I do it with simple "ip route add 192.168.0.2/32 via [public ip 2] dev eth0" (from server 1)? Is it necessary? What's the best way to accomplish it?