I'm experiencing exactly the same issue

@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0:

But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled?

It could probably handle that better, but it's not a valid combination to have a mix of tunnel and VTI even if some are disabled. They should all be the same type, and really there should be at most one VTI P2 per address family (so one IPv4, one IPv6). I'm not sure if we have validation which actively checks for and prevents that yet, though.

It was a problem of sharing multiple destination networks in one child configuration (at pfSense side). Activation of 'Split connections' option seems to solve my problem.
As I manage manually the configuration files at server side, it is more simple for me to have separate children (one child per network).
Thanks for the assistance!

I added/changed it to AES/SHA256/DH14 in my router and client settings and rekey works! Way better than SHA1/DH2. I can live with this..

Hi there
@lmendoza
Godaddy
https://sysadms.de/2018/09/godaddy-api-fuer-dynamischen-dns-eintrag-unter-pfsense-einrichten/

And you can get valid wildcard certificates (LE) with godaddy's dns api
https://sysadms.de/2019/03/lets-encrypt-zertifikate-unter-pfsense-dns-godaddy/

Dynu.com (also you can get valid wildcard certificates (LE) with dynu dns api)
https://www.dynu.com/DynamicDNS/IPUpdateClient/PFSense
https://www.dynu.com/en-US/Forum/ViewTopic/How-to-create-subdomain/7065
https://community.letsencrypt.org/t/failed-authorization-procedure-the-server-could-not-connect-to-the-client-to-verify-the-domain/60656/4

This eventually got fixed over here:
https://forum.netgate.com/topic/162012/pfsense-release-2-5-openvpn-2-5-broken-any-fixes/74?_=1644012845727

From that screenshot it appears you have disabled both rekey and reauthentication. So when the P1 expires (at most every 8 hours, likely about 1/2 to 2/3 that time) it can't renegotiate a new P1.

The exact method to solve this depends on the tunnel configuration and what the other side supports. Generally speaking, however, you should have a positive value in either rekey or reauth time.

See the recommendations for values here for a good guide:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html

update 1
manually added rules for IPv6: isakmp, sae-urn, esp. now it works. but I guess this is still a bug

Thanks for the suggestion but unfortunately no PING.
Since I am able to ping 172.30.2.1 (but not 172.30.2.2), could it be something related to firewall or routing?

Finally fixed it.

Use Radius for authentication. When I checked the Radius server settings. I noticed that I made a config mistake I set the Services Offered to "authentication". When I changed it to "authentication and accounting". Everything started working as it supposed to.

@jimp
Ok, thank you for the response. That does make sense to me as well but I wanted to check just in case.
Thanks!