Anyone already experienced and solved this issue? Additional info: both the pfsense instances are running on two VMware ESXi virtual machines (each one has 4 cores + 4GB RAM) Mauro

@steveits said in Restrictions on IPSEC clients: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html Thanks, I did try to create some scheduled firewall rules, but they don't seem to have any effect once a IPSEC connection is established. When blocking traffic, they stop the VPN connection from happening. But if the connection is already established, then the iPhone is still able to browse the internet through the VPN. I think this needs to be set up a specific way with firewall rules, but I don't know how to do that. It could also be that having pfSense in a VM makes a difference to how this is done.

@sdedurana a error in config. Solved. Please close.

Wanted to add a bit more info here as this issue remains even after upgrading to 2.6.0 today. My tunnels are IKEv2 in VTI mode. Under Phase 1 Advanced Options, I set "Child SA Start Action" to "Initiate at start (VTI or Tunnel Mode)" and "Child SA Close Action" to "Restart/Reconnect" Under Phase 2 > Keep Alive, I use a host on the other side of the tunnel with Keep Alive "Enable periodic keep alive check". The tunnels do not establish if I shut down the MASTER CARP node or "Enter Persistent CARP Maintenance Mode" on the MASTER CARP node. I have to click Connect to manually establish the tunnels. Seeing these messages in the IPsec System Log charon[43289]: 04[CFG] trap not found, unable to acquire reqid 5002 Have anyone else seen this issue?

@ralph-1 Have you tried adding the VPN connection by hand on the Mac? I think the issue is with the profile including a self signed cert, at least it was with my iPhone. Down load and trust the CA and the additional cert first then add the connection by hand.

Actually I stand corrected. In the advanced setting for the Phase 1, there is a setting to allow multiple P1s. Gateway Duplicates Allows multiple phase 1 configurations to use the same remote endpoint address. Warning This option also disables automatic static routes to the peer via specific WAN gateways. Traffic will follow the default route, not the selected tunnel interface, unless manual static routes redirect the traffic. You'd need to have that option enabled and set up static routes.

I think I'm hitting the same issue in 2.6.0-RELEASE I have a working VTI IPv4 routing scenario linking two LANs and wanted to add ipv6 I added a second P2 on both pfsenses nodes configured as follow : On node A : local fd87:dcb9:c321:6610::01/126 remote fd87:dcb9:c321:6610::02 On node B : local fd87:dcb9:c321:6610::02/126 remote fd87:dcb9:c321:6610::01 The ipv6 tunnel come up successfully, however gateways are not defined correctly : In dashboard/gateway widget for OPT1_VTIV6 : ipv6 is displayed as ~, RTT pending, status Unknown In system_gateways.php, a gateway named OPT1_VTIV6 appears but stays empty with no ipv6 nor monitor ip. Interfaces are configured correctly : Node A : inet6 fd87:dcb9:c321:6610::1 prefixlen 126 Node B : inet6 fd87:dcb9:c321:6610::2 prefixlen 126 I'm however able to ping both sides of the vti tunnel If I add a static route from my lans to OPT1_VTIV6, boths lans can ping themself However, netstat -rn for the static route shows : 2001:41c9:1111:d2d::/64 ipsec1 US ipsec1 Which confirms the lan is routed directly to the interface and not to the ipv6 vti tunnel like it is done for ipv4 If I add a manual gateway 'test' (on node B for example) on interface OPT1 with ip fd87:dcb9:c321:6610::01 -> the dashboard displays this gateway correctly I can then define my static route on this 'test' gateway Now netstat -rn shows this for the static route : 2001:41c9:1111:d2d::/64 fd87:dcb9:c321:6610::1 UGS ipsec1 (same behaviour as with ipv4 vti) Traffic is passing correctly in both scenarios, however it does not feel normal to have a route directly to the interface in this case. I tried to set P2 local ip to single address (fd87:dcb9:c321:6610::01) or wider range fd87:dcb9:c321:6610::01/64) with no more success If I disable gateway monitoring : no changes If I force a monitoring IP, the gateway is shown as 'Online' but still with empty ipv6 Any clue on fixing this ? Or to disable automatic gateway creation ?