Failover VPN between sites

[ecorreale]

I have been searching for a solution for this everywhere without any luck. I'm hoping someone can point me in the right direction.

I have 2 NGX R65 Nokia based CheckPoint firewalls located at the main site and an R65 FW at each of 2 remote sites. I have VPN tunnels from each firewall at the central site to each of the remote sites.

Each firewall at the main site is connected externally to a unique Internet provider. Internally, they connect to the same core network.

At the moment, each internal connection exists on it's own VLAN but it doesn't have to stay that way if there is a better way of doing things.

I've included a diagram for clarity.

Problem: I want to enable vpn tunnel redundancy from the main site to each of the remote sites.

e.g.
If the Internet connection for FW-1 (not the firewall itself) fails, I need the network to realize this and start sending data over VPN tunnels connected to FW-2. I have been unable to get the internal network to realize that it needs to send via FW-2 AND switch back when the primary Internet link comes back online.

I've tried a couple of things but the same problem keeps cropping up... In my scenario, the firewall interfaces never go down, they just loose their ability to send data because of an issue with the ISP. Adding a secondary default route in the switch core doesn't work because it the core never realizes that the route is down because the interface to the firewall is always up.

[lammbo]

Rather than maintain 2 firewalls on 2 circuits I think you need to reconsider your architecture. I am not very well versed in the subject of ISP redundancy, but I think the solution you're looking for should be something revolving around this strategy. Make your 2 separate firewalls a single HA cluster. Take the 2 internet circuits and setup ISP redundancy on the cluster rather than 2 individual gateways as you have it now.