@gary-lopez viva la raza carnal!

Anyone already experienced and solved this issue? Additional info: both the pfsense instances are running on two VMware ESXi virtual machines (each one has 4 cores + 4GB RAM) Mauro

@steveits said in Restrictions on IPSEC clients: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html Thanks, I did try to create some scheduled firewall rules, but they don't seem to have any effect once a IPSEC connection is established. When blocking traffic, they stop the VPN connection from happening. But if the connection is already established, then the iPhone is still able to browse the internet through the VPN. I think this needs to be set up a specific way with firewall rules, but I don't know how to do that. It could also be that having pfSense in a VM makes a difference to how this is done.

@sdedurana a error in config. Solved. Please close.

Wanted to add a bit more info here as this issue remains even after upgrading to 2.6.0 today. My tunnels are IKEv2 in VTI mode. Under Phase 1 Advanced Options, I set "Child SA Start Action" to "Initiate at start (VTI or Tunnel Mode)" and "Child SA Close Action" to "Restart/Reconnect" Under Phase 2 > Keep Alive, I use a host on the other side of the tunnel with Keep Alive "Enable periodic keep alive check". The tunnels do not establish if I shut down the MASTER CARP node or "Enter Persistent CARP Maintenance Mode" on the MASTER CARP node. I have to click Connect to manually establish the tunnels. Seeing these messages in the IPsec System Log charon[43289]: 04[CFG] trap not found, unable to acquire reqid 5002 Have anyone else seen this issue?

@ralph-1 Have you tried adding the VPN connection by hand on the Mac? I think the issue is with the profile including a self signed cert, at least it was with my iPhone. Down load and trust the CA and the additional cert first then add the connection by hand.

Actually I stand corrected. In the advanced setting for the Phase 1, there is a setting to allow multiple P1s. Gateway Duplicates Allows multiple phase 1 configurations to use the same remote endpoint address. Warning This option also disables automatic static routes to the peer via specific WAN gateways. Traffic will follow the default route, not the selected tunnel interface, unless manual static routes redirect the traffic. You'd need to have that option enabled and set up static routes.