Crypto maps allow adding more then one peer. As I remember they try to connect to them in descending order, until first successful connect. If peer fails after successful connection next peer in list will be tried. Sample:
crypto map test-it 10 ipsec-isakmp
! Incomplete
set peer 1.1.1.1
set peer 2.2.2.2
match address 111
You can also add 2 different crypto maps, so two tunnels will be active at the same time.
Other problem is that ether CheckPoint FW, ether PIX have very limited routing functions. It will be problem for central office to detect where the active tunnel currently terminated, to the pix or to the FW-1. A central office router fails to pass return traffic to the correct VPN box.
My advice is - if you want redundancy use pure one vendor solution:
Ether CheckPoint FW HA cluster (on SecurePlatform + free ISP redundancy feature) in the central office and Safe@Edge boxes in the branches
Ether IOS router EazyVPN server in the center (or even Router Cluster) and PIX firewalls or IOS routers in the branches.
Any Future questions?