Let me try to see if I understand you correctly. Which one is it: you want to replace IPsec with OpenVPN for a network topology consisting of 3 sites, each of which will be communicating directly with the other two, or you want to keep the current IPsec VPN setup, and just add a OpenVPN remote-access functionality (so that people can connect from e.g. home) to the main site, but you also want remote workers to be able to connect to LAN IPs at all three sites. In the first case,  keep in mind that you can't have a fully-routed topology and use both IPsec and OpenVPN at the same time. In the second scenario, you'd need to add IPsec P-2 entries for the OpenVPN roadwarrior subnet at both site-1 and site-3, and push appropriate routes to your OpenVPN clients (assuming you're not redirecting all their traffic to go via the VPN).

yes they do.

Just make one CA for each "class" of VPN. One just for the site-to-site. Separate ones for each remote access that has a different set of access restrictions. Trying to do a large structure and intermediates is just over-complicating it for very little, if any, benefit.

Thank you so much! :)

I think the netmask of the tunnel network needs to be /31 please give it a try. @cdc1975: Thanks for your help. ping from pfsense1 lan interface –-> pfsense2 lan-client OK ping from pfsense2 lan interface ---> pfsense1 lan-client OK ping from pfsense1 lan-client ---> pfsense 2 lan-client OK ping from pfsense2 lan-client ---> pfsense 1 lan-client OK From the pfsense1 or 2 is all ok! I can ping or ssh every machine in the 2 network. The problem is only when from a computer in one network i need to access to a computer in the other network. ping from a server in lan 1 --> to a server in lan 2 NOT OK ping from a server in lan 2 --> to a server in lan 1 NOT OK

Upgrading to snap shot solved this problem. 2.0.3-PRERELEASE (amd64) built on Sat Feb 9 21:12:53 EST 2013

The problem was what I was suspecting. I had to create a rule that did not use a static port for destinations with port 1194. I then moved it in front of the rest of the LAN to WAN NAT settings.

I have TUN working so will stick with this for now and will revisit when pfsense 2.1 is released.

Could you use 'client specific overrides' to give specific IP addresses to each user, then standard rules to restrict access?

In the Main Site OpenVPN Server Advanced box add: push "route 192.168.3.0 255.255.255.0" That will tell your OpenVPN road warriors about the route to East Coast. In the East Coast config, you will also need to tell it that the road warrior subnet (192.168.1.0/24) is reached across the IPsec link to Main - then East Coast can route/reply back to Road Warrior. I don't use IPsec, but I guess that will be easy. If you have restrictive firewall rules on OpenVPN or IPsec then you will need to modify those to pass packets to/from all 3 subnets.

@phil.davis: It should work. Once the OpenVPN tunnel establishes, the routing table at 21x.x.x.x will have an entry for 195.x.x.x/n that will send those packets across the tunnel. Similarly the routing table at 195.x.x.x will have an entry for 21x.x.x.x sending those packets across the tunnel. Once the user packets between 21x.x.x.x<->195.x.x.x are in the tunnel, they are encapsulated and encrypted inside OpenVPN packets. Routers on the real internet only see the OpenVPN tunnel endpoints as source/destination. It will be transparent to the users at either end. and internet routers can't see the details of the user packets encrypted inside the OpenVPN tunnel comms. Thanks Cheers  :)

easiest way todo that would be to assign an interface to the openvpn-connection. (in the interface config set type to "none") after you assigned an interface you should duplicate the firewall rules from the openvpn connection to the new OPT interface. then restart the openvpn service. pfsense should automagically create a gateway for the new OPT interface; now you can set that gateway in your lan-firewall rule to direct certain traffic over the openvpn enjoy

Policy routing in the firewall rules. Make a rule at the top of the LAN rules to pass to/from that and select the WAN gateway.

podilarius, yeah, I had bridge0 assigned. But I have changed everything (still new to pfSense and throwing configs around) and just accomplished one of my goals: having a seperate, public AP (OPT1) with VPN routing to my LAN. samba isn't working in this setup yet but that's next. :)

Im upping this… no clue anyone?

an extra bone… under diagnostics > ping > I am from the wan interface able to ping  the linux clients, example 172.16.2.10  but not the windows client 172.16.2.30 ... any ideas?

Well again the site connection has dropped out every minute, all day. I've checked squid logs and also bandwidthD and there's nothing to suggest excessive traffic on either end. However the dropouts continue. So I established a private VPN so I could look at the two pfsense appliances side-by-side. The server end never reports a drop-out, however the reconnection from the client end (every minute) is noted in the OpenVPN server logs. On the client side is a repetition of the  Inactivity timeout (–ping-restart), restarting log entry. So I tried something. I disabled the client VPN, then disabled the server VPN, waited a minute, re-enabled the server VPN, then re-enabled the client VPN. And now the connection has worked for the past hour without a drop-out. So it seems to me the problem is not necessarily due to constant drop-outs, but instead that once an issue occurs, the reconnect doesn't work properly and the client side attempts unsuccessfully to reconnect every minute, but without a full reset, the connection might not be made again all day. Frustrating….  :(

Your welcome, glad to help.