Hi,
I want to create a VPN. Here's the network config.

1 single computer with windows 2000 Pro (this will be the client
computer) with direct access to internet (cable-modem).

on the other side:
1 OpenBSD 3.6 Firewall/NAT
2 Windows 2000 Servers
1 Windows 2000 Pro Workstation

One of the windows 2000 servers is acting as RRAS Server.

Here's the pf.conf on the OpenBSD firewall:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.

ext_if="xl1"
local_if="lo0"
lan_if="ste0"
dmz_if="xl0"
VPN="enc0"
VPNGW="192.168.0.10"
WWW="192.168.0.10"
SQL="192.168.0.10"
FTP="192.168.0.10"
VNC="192.168.0.10"

table persist

# options
set block-policy drop
set loginterface $ext_if

# scrub rules
scrub out on $ext_if all no-df random-id fragment reassemble

# queueing
altq on $ext_if priq bandwidth 200Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

#access a internet a tot el rang 192.168.
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)

#redireccio del port servidor ftp
rdr on $ext_if proto tcp from any to any port 21 -> $FTP port 21

rdr on $ext_if proto tcp from any to any port 5900 -> $VNC port 5900

#redireccio del transparent proxy cache squid
#rdr on $lan_if inet proto tcp from any to ! $lan_if port 80 ->
127.0.0.1 port 3
128

#
# Block all by default
#

#
# pass localhost
#
pass in quick on $local_if all keep state
pass out quick on $local_if all keep state


#
# Allow IPSEC key exchange protocol from and to VPN GW
#
pass in quick on $ext_if inet proto udp from $VPNGW to any port isakmp
keep sta
te
pass out quick on $ext_if inet proto udp from any to $VPNGW port isakmp
keep sta

#
# Allow esp traffic from an to VPN GW
#
pass in quick on $ext_if inet proto esp from $VPNGW to any
pass out quick on $ext_if inet proto esp from any to $VPNGW
#

#
# Block traffic on VPN by default
#
#block return-rst in log on $VPN all
#block return-rst out log on $VPN all
#
# Allow encapsulated incoming packets. Since incoming packets may be
# encapsulated multiple times, we need to specify the rule below, to
allow
# "peeling" of the encasulation headers until a cleartext packet can be
# handled by the other rules. Outgoing packets are already cleartext on
the
# enc0 interface, so they do not need extra care, as long as you have
# a rule that allows outgoing traffic on this interface.

# enc0 interface, so they do not need extra care, as long as you have
# a rule that allows outgoing traffic on this interface.
#
#pass in quick on $VPN proto ipencap all
#pass out quick on $VPN all
#

#
# Allow some incoming and outgoing traffic on VPN
#
#pass in quick on $VPN inet proto tcp from any to any port { www, ssh,
domain }
flags S/SAFR keep state
#pass out quick on $VPN inet proto tcp from any to any port { ssh,
domain } flag
s S/SAFR keep state
# etc...

#Pasar paquets permesos
pass in log quick on $ext_if inet proto tcp from any port 21 to $FTP
port 21 k
eep state queue (q_def, q_pri)
pass in log quick on $ext_if inet proto tcp from any port 80 to $WWW
port 80 k
eep state queue (q_def, q_pri)
pass in log quick on $ext_if inet proto tcp from any port 5900 to $VNC
port 5900
keep state queue (q_def, q_pri)

block in quick on $ext_if from
block out quick on $ext_if to

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


What am i missing?