MPLS VPN Redundancy using Checkpoint

I have a question, I am trying to setup a MPLS redundancy using VPN as the failover mechanism through the use of checkpoint firewalls.  ISP agreed to let use 2 internal network interfaces, one that goes into internal core switch and the other one that goes into firewall.  I am trying to brainstorm an idea of how to do the VPN failover.  The problem is the ISP doesn't allow any dynamic routing protocols between our internal core switch and the router.  The best that they can do is add a floating static with higher administrative distance pointing to the firewall interface, that way if let's say one of the remote MPLS routers die, the floating static would kick in and travel across the firewall vpn.  The only thing that I am not so sure of is how will the traffic from remote site where the MPLS router failed know that the traffic will need to be forwarded to the firewall rather then through the MPLS router?  Note, on each core switch I have 2 static routes pointing to remote site respective subnets with the next hop of the MPLS router.  So if let's say the MPLS router that is serving for example 10.148.1.x/24 subnet fails, even though the remote routers will know about it's failure and will instantly start sending traffic through their firewall due to the fact that BGP router will disappear and floating static will kick in, yet the core switch will continue sending traffic to the failed MPLS router instead of the firewall!!  Is there a feature or a mechanism that would prevent such behavior from happenning.  in our scenario we r using checkpoint, but if checkpoint firewall doesn't have such functionality we might have to go towards juniper netscreen firewalls.  Any suggestions anyone what can be done to allow redundant failover through the VPN when one of the routers die with in mind that no dynamic protocols are allowed between MPLS router and the core switch other then the floating static pointing to the firewall?  

Maybe I am missing the concept here but what If i add a default route pointing to the firewall and since the static routes to remote sites are already present on the core switch then when the mpls router dies, the static routes that are pointing to the faulty mpls router will not take precedence and the default route will kick in?  Or maybe I should use some sort of tracking mechanism on the core switch, note this is the 6500 series switch at each site.


I have  attached a file showing the diagram to show you my design so you know what I am referring to.
Brainstorming-MPLS-VPN-Redundanc.jpg
romanwellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grimkinCommented:
Hi,

What you are looking for includes the use of VTIs - Virtual Tunnel Interfaces, in essence route-based VPNs. This way you can assign metrics so that whgen one route i.e. the MPLS is not available, the next will be chosen which will be your route-based VPN.

In order to use VTIs I believe you need to be running SecurePlatform *Pro* which is an extra license so this is a cost you may have to factor in.

The snakeoilresearch website has an excellent tutorial and lab doing this using OSPF but I believe it can be done with static routes only and does not require dynamic routing, it can be found here: http://www.snakeoilresearch.com/white_paper_running_ospf_on.html

Info on creating the VTIs can be found in the VPN Guide here: http://supportcontent.checkpoint.com/file_download?id=7261

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.