From that screenshot it appears you have disabled both rekey and reauthentication. So when the P1 expires (at most every 8 hours, likely about 1/2 to 2/3 that time) it can't renegotiate a new P1. The exact method to solve this depends on the tunnel configuration and what the other side supports. Generally speaking, however, you should have a positive value in either rekey or reauth time. See the recommendations for values here for a good guide: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html

update 1 manually added rules for IPv6: isakmp, sae-urn, esp. now it works. but I guess this is still a bug

Thanks for the suggestion but unfortunately no PING. Since I am able to ping 172.30.2.1 (but not 172.30.2.2), could it be something related to firewall or routing?

Finally fixed it. Use Radius for authentication. When I checked the Radius server settings. I noticed that I made a config mistake I set the Services Offered to "authentication". When I changed it to "authentication and accounting". Everything started working as it supposed to.

@jimp Ok, thank you for the response. That does make sense to me as well but I wanted to check just in case. Thanks!

@jimp ive had an idea which i just tried. i made a subdomain for each phase 2 entry (4 in sum), so i connected 1 ipsec (phase 1) with the IP and added another 3 with different subdomains to the same ip and with the different phase 2 entrys. Seems to work. Looks pretty ugly but at least it works on 2.5.2. ugly ipsec

Do you have Hardware crypto enabled?

I think I've maybe found the issue. I think his home ISP is blocking something. If he creates a wifi hotspot on his smartphone, his Window PC can then connect to our VPN!

@billyhart01 said in IPSec split tunneling: What am I doing wrong? If you tell us, what you did, maybe someone can answer this question.

@dylanw Hi, did you find a solution for this? Because even with the new 2.6.0 beta I experience the same issue. Still staying on 2.5.1 for that reason. Thanks