So this would require a different class address? Sticking with non-routable addresses I couldn't quite figure out how to do something past 192.168.20.0 / 255.0.0.0 …

Thanks Bill, the problem has been resolved with your advice. I was thinking about this aliased ip situation from the wrong angle. thanks again for the support.

Sounds like the LAN to LAN might be L2TP? I dont believe pfSense supports this yet, perhaps in a few versions. Or you could try posting a bounty to help epedite the addition and support the project. Otherwise you could try IPSec between the two with DES/MD5 and small bit keys, maybe it supports those? I'd say try to figure out exactly how the Vigor 2800 does IPSec then have pfSense mimic those configurations.

you could try building binary package of vpnc and then sftp'ing  it over to the pfsense machine, and use pkg_add. if that doesn't work maybe you could build the binarys and use tarball to push them over? just a thought.

i believe you could do this with openbsd 3.9/4.0. they have utilities for ipsec failover, i'm sure they'll work they're way into pfSense either through a bounty or in a couple releases.

@hoba: However we have this already working in head. This means it's already working in our codetree for the next major version. You won't be able to achieve this with 1.0. You have to wait for the release of this version to get this feature.

Yes, and that error was fixed right after RC2 was released with RC2a or b when I recall correctly.

Not really. pfSense only supports ethernet kind of gear. You would need some kind of dial-on demand 56k network modemrouter for this. There are ISDN-Routers that could be used this way but I don't know of a 56k alternative that does something similiar.

@Phobia: Hi, Please don't take from my previous message that I was going to throw in the towel with PFSense!  I was referring to the Netscreen if anything.  ;D Thanks again for a truly wonderful firewall platform! – Phob No problem at all, just wanted to point out that you need that for tunnels from pfsnese to anything (even another pfSense) if one end is dynamic.  ;D

NAT-T will not be included in 1.0. Maybe 1.1 or in the future.

I've had an IPsec connection to a Watchguard x1000 for a little over a month. I'll be posting some screenshots and a basic howto shortly. (hopefully this week) I will put up the screenshots first, as soon as I can edit out the important stuff. The short answer is yes, IPsec to watchguard is possible and so, far, seems quite nice. Pay attention to the "advanced" button when setting up the tunnel on the watchguard side. Remember; both sides require identical settings for protocols, renegotiating timing, and identifiers. The default settings do not match between pfsense and watchguard. This is Monday. I hope to have some images up by Thursday/Friday. (depending how my "real" job goes…)

@IceZy: Is there a snapshot of a version with it, or is it still only in the planning? No there is not.  It's a development version with thousands of new features.

Have a look at http://pfsense.com/index.php?id=33 (the utilities section). You'll find some IPSEC tools and a smal tutorial for one of them there.

No, broadcasts won't leave the own subnet and the other end has a differnet subnetrange.

hoba, thanks for the reply. it turned out to be faulty network card on the WAN interface. Now the ipsec vpn is working flawlessly. great off-shoot of FreeBSD/M0n0wall you guys have created.

Thank you, I will try, but could someone explainds his experiences (soft and configuration (in pfsense and in the soft))?????

Not supported.

Yes, MTU was one of the first things I'v suspected, so I run MTU at 1300 almost from the start (when I installed the tunnel). I just don't know anymore.. but I will probably end up changing hardware all together just to rule out some "issues", but if this fails, it will left me clueless with a Dunce cap somewhere between the two peers. And belive you me - not a pretty picture. P

It's not a good news. But many thanks for your testing. Today, I updated pfsense to RC2h. And I made some tests and found some strange things. I hope it will help you to find the problem on IPSec at OPT1. 1. I disabled the IPSec and made below two tests, a and b. a. DHCP on WAN and OPT1 - I can access Internet through OPT1 when I leave the LAN rule at default gateway. b. Static on WAN and OPT1 - I cannot access Internet through OPT1 when I leave the LAN rule at default gateway. But I can access Internet after I change the LAN rule's gateway to OPT1's gateway. 2. I enabled the IPSec at OPT1. a. DHCP on WAN and OPT1 with the LAN rule at default gateway - I cannot even see SPD on IPSec staus page. b. Static on WAN and OPT1 with the LAN rule at default gateway - I cannot access to Internet. But I can see SPD on IPSec staus page and I found some IPSec logs that IPSec tried to establish tunnel and it failed. Below is the IPSec log. Sep 3 02:21:57 racoon: ERROR: phase1 negotiation failed due to time up. 28cde7f46500a3aa:0000000000000000 Sep 3 02:21:28 racoon: INFO: delete phase 2 handler. Sep 3 02:21:28 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 210.109.xx.xx[0]->210.106.XX.XX[0] Sep 3 02:20:57 racoon: phase1(agg I msg1): 0.102666 Sep 3 02:20:57 racoon: oakley_dh_generate(MODP768): 0.089224 Sep 3 02:20:57 racoon: INFO: begin Aggressive mode. Sep 3 02:20:57 racoon: INFO: initiate new phase 1 negotiation: 210.106.xx.xx[500]<=>210.109.xx.xx[500] Sep 3 02:20:57 racoon: INFO: IPsec-SA request for 210.109.xx.xx queued due to no phase1 found. c. Static on WAN and OPT1. I changed the LAN rule's gateway OPT1's gateway - Now I can access to Internet through OPT1. And I can see SPD on IPSec status page. But I cannot find any logs that IPSec tried to establish tunnel even after I ping to remote subnet. For more accurate test, all tests was made when WAN disconneted. Thank you.