I have a Juniper SSG-320 FW. I would like to create to IPSec tunnels to another office. One is primary and the other one is secondary. The remote destination subnet is the same because its an office. If the primary tunnels fails then I want the secondary tunnel to become primary. Is this possible with metrics and does it have to be route based VPN or policy based. See diagram