Backup IPsec over failover WAN

Carried over from this thread where  introduced a script to fix / insert connceted routes to ubnt-add-connected.pl when a load-balance/failover event occurs. 

Next step I'm trying to accomplish is to add a script to connect a backup IPsec tunnel following failover. 

Borrowing from BranoB's post here: 

/config/scripts/wlb-transition.sh

#!/bin/bash

GROUP=$1
INTF=$2
STATUS=$3

MYLOG="/var/log/wlb"
TS=$(date +"%m%d%y-%T")

run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
INTFDSCR=$($run show interfaces | grep $INTF | awk '{print $4}')
ROUTER=$(hostname)

case "$STATUS" in
  active)
    msg="$TS: Internet connection $GROUP:$INTF:$INTFDSCR is active now!"   
# Send me an email on recovery
    echo $msg | mailx -r "noreply@mydomain.com" -s "Router $ROUTER WAN fail-over event" -S smtp="smtp.gmail.com:587" -S smtp-use-starttls -S smtp-auth=login -S smtp-auth-user="noreply@mydomain.com" -S smtp-auth-password="***" -S ssl-verify=ignore support@mydomain.com 
  ;;
  inactive)
  msg="$TS: Internet connection $GROUP:$INTF:$INTFDSCR is inactive."
  ;;
  failover)
    msg="$TS: Internet connection $GROUP:$INTF:$INTFDSCR is in failover."   
  ;;
  *)
   msg="$TS: Oh crap, $GROUP:$INTF:$INTFDSCR going [$STATUS]"
  ;;
esac

# log to /var/log/wlb
echo $msg >> $MYLOG
# and log the same to syslog
logger $msg
# flush conntrack so on fail-back all sessions switch to primary WAN immediately
/usr/sbin/conntrack -F
# add connected routes to lb tables for VPN and remote traffic to work properly
/usr/sbin/ubnt-add-connected.pl

exit 0

I'd like to add syntax to update DDNS, and restart IPsec (conntrack flush is already presnt in the script, and the email notification portion may be handy.) Additionally, whats the best way to handle things transitioning back when the primary WAN is back online. Can anyone assist? Is there a better way of doing this that I'm not thinking of?