If it's OpenVPN related then it should go to that category: http://forum.pfsense.org/index.php/board,39.0.html The top most Sticky by SUllrich handles creating CERTs as your subject suggests. Later on you write about KEYs…

but my clients is able to connect from any internet cafe or a dialup

I am using 1.2-RC2  and i get this error To sunny chowdhry Please tell me how to configure both ends of the tunnel so i can get it to work

Re-IP one of the sites.  How hard could it be? Robert

yep, looks like that was broken by fixing a related bug. I opened a ticket.

OK now i try putting it in front but 1. I normally ping from site that have pfsense but i can't ping from another site without pfsense it look like pfsense don't let me come in to lan. Help please thank

ok, i will try the lan-vpn first, this is not working, i followed the monowall tutorial almost to the letter, i just changed the lifetime to 1000 and group options in fase 1 DH key group to 1 and in fase 2 PFS key group to 1,  this the error i get: ERROR: unknown notify message, no phase2 handle found. this is the pix config: isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 100 crypto map newmap 10 set peer aaa.bbb.ccc.ddd. crypto map newmap 10 set transform-set myset crypto ipsec transform-set myset esp-des esp-md5-hmac What could be wrong?

Policy NAT is possible, not policy NAT with IPsec though.

@tunge2: I can send you config for pfS and shrew client if you like to. Is it posible to get the config files? Is there a howto for Shrew VPN client/PFsense…... Ah! Red line is the question. Yes, it is posible. No, there is not specific one for Shrew (or I couldn't find one) but I can write one when I get some free time. Send mi perosnal mesage with your e-mail and I will send config to you ASAP. Sasa

@eskild: Pointy-hat to me. indeed.  ;D  good catch I opened a ticket on this issue.

The IPSEC pass through stopped after upgrading to the latest build.  At the latest build area.  It was working.  I do have multiple vpn tunnels as well.  they have stopped working both ways.  If I turn on the option on the firewall on the rules tab.  The firewall reboots every 5 five minutes. The passthrough just stopped when I upgraded  to the latest snapshot.  I saw a huge improvement in perfrormance plus multi-processor (Pentium-D).

I have search for open tickets for 1.2rc2, but i cannot find it….

it works with the newest snapshot, thanks

Please search….... http://forum.pfsense.org/index.php/topic,6085.0.html

yes, seems to work. Thanks!

So, go ask the question on the relevant FreeBSD list  ;) If/when it's imported into FreeBSD the chance of getting it into pfSense improve considerably, particularly if it's imported into the version pfSense uses as it's core.

Depending on which 1.2b1 you have (whether a snapshot or the release version), there could be IPsec problems. I don't recall what versions had issues that far back. The 1.2RC2 release, or current 1.2 snapshots, don't have any IPsec issues. I upgrade to snapshots a couple times a week, and other than the couple times in the past 6 months that IPsec has actually been broken, have never had any problems. Typically when this happens, there's a mismatched timeout somewhere. Prefer old SA's shouldn't be used in this case.