Personally I would give OpenVPN a try over PPTP.

I would like to know that as well.
My clients are using sim/smartcards to store an identifier and I'm wondering if I can read from those sims
some sort of a key rather than a cert.

I was able to work around this by creating a port forward nat rule on the lan interface with the ip as ANY with the external port as http and internal ip/port as 192.168.0.12:8080
then i disabled the local squid proxy.

Broadcasting between the VPN users is possible with OpenVPN running in bridge mode (looking only at OpenVPN). OpenVPN implementation on pfSense seems to have some problems with that (as it looks to me when I'm reading through the articles) but one may proove me wrong here. I've tested OpenVPN in the lab in bridging mode and it did indeed worked fine with broadcasts. Never had the opportunity to test it with pfsense though.

So this would require a different class address?

Sticking with non-routable addresses I couldn't quite figure out how to do something past 192.168.20.0 / 255.0.0.0 …

Thanks Bill, the problem has been resolved with your advice. I was thinking about this aliased ip situation from the wrong angle. thanks again for the support.

Sounds like the LAN to LAN might be L2TP? I dont believe pfSense supports this yet, perhaps in a few versions. Or you could try posting a bounty to help epedite the addition and support the project. Otherwise you could try IPSec between the two with DES/MD5 and small bit keys, maybe it supports those? I'd say try to figure out exactly how the Vigor 2800 does IPSec then have pfSense mimic those configurations.

you could try building binary package of vpnc and then sftp'ing  it over to the pfsense machine, and use pkg_add. if that doesn't work maybe you could build the binarys and use tarball to push them over? just a thought.

i believe you could do this with openbsd 3.9/4.0. they have utilities for ipsec failover, i'm sure they'll work they're way into pfSense either through a bounty or in a couple releases.

@hoba:

However we have this already working in head.

This means it's already working in our codetree for the next major version. You won't be able to achieve this with 1.0. You have to wait for the release of this version to get this feature.

Yes, and that error was fixed right after RC2 was released with RC2a or b when I recall correctly.

Not really. pfSense only supports ethernet kind of gear. You would need some kind of dial-on demand 56k network modemrouter for this. There are ISDN-Routers that could be used this way but I don't know of a 56k alternative that does something similiar.

@Phobia:

Hi,

Please don't take from my previous message that I was going to throw in the towel with PFSense!  I was referring to the Netscreen if anything.  ;D

Thanks again for a truly wonderful firewall platform!

– Phob

No problem at all, just wanted to point out that you need that for tunnels from pfsnese to anything (even another pfSense) if one end is dynamic.  ;D

NAT-T will not be included in 1.0.

Maybe 1.1 or in the future.

I've had an IPsec connection to a Watchguard x1000 for a little over a month. I'll be posting some screenshots and a basic howto shortly. (hopefully this week) I will put up the screenshots first, as soon as I can edit out the important stuff.
The short answer is yes, IPsec to watchguard is possible and so, far, seems quite nice.
Pay attention to the "advanced" button when setting up the tunnel on the watchguard side.
Remember; both sides require identical settings for protocols, renegotiating timing, and identifiers.
The default settings do not match between pfsense and watchguard.
This is Monday. I hope to have some images up by Thursday/Friday. (depending how my "real" job goes…)