Hello W,
I have build a real lab with a PE connected with 3 CE MPLS routers. One Internet router with 4 interfaces fa0 to internet, vl11, vl12 and vl13.
In between the CE and the internet router there are 3 different firewalls.
MPLS (zone) primary path and Untrust (Internet) with tunnel.1 (Untrust).
We inject through our mpls ce routers the default gateway with a high metric.
At the same time we also get a better default gateway metric injected by our internet isp router on the untrust interface.
This will NAT internet traffic directly from the firewall to the internet isp router out.
In case this route dies everything will go into mpls.
We have build up a fully meshed vpn using ospf between the 3 firewalls with a high metric on known routes. Those will get active as soon MPLS would fail.
This is working and we will implement that soon for a lot of offices for cheaper internet bandwidth and also a cheaper backup solution.
Attached there is a great jtac document on how to configure fully meshed vpns with ospf.
We would have loved to use NSM a little bit more but it seems that the vpn creating isn't working too great with it.
Cheers,
Markus