Guys,

I have created two tunnels with ISR4331 and other end is two Checkpoint firewall which are in cluster XL but not the tunnel int .

Now we have problem with tunnel redundancy , as at a time only one tunnel is getting active.

I have attached here , cisco side configuration  ( When I did debug then I see cluster XL's VIP need to be added into keyring and then only IPsec tunnel with its interface got up

IPsec PE Configuration
======================
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 100:1
!
crypto keyring vpn1
pre-shared-key address 172.16.1.1 key vpn1
pre-shared-key address 172.16.2.1 key vpn1
pre-shared-key address 10.1.1.1 key vpn2 ( 2nd IPsec )
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto isakmp keepalive 10
!
crypto isakmp profile vpn1
vrf vpn1
keyring vpn1
match identity address 172.16.1.1 255.255.255.255
match identity address 172.16.2.1 255.255.255.255 ( Cluster IP )
match identity address 10.1.1.1 255.255.255.255 ( 2nd IPsec )
!
!
crypto ipsec transform-set vpn1 esp-aes 256 esp-sha256-hmac
!
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set peer 172.16.2.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
!
!
interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
crypto map crypmap
!
ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 102 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

#######################################

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.16.1.1 172.18.1.2 QM_IDLE 1109 ACTIVE

IPv6 Crypto ISAKMP SA

R1#

Please suggest for the redundancy for IPsec VPN.

.