I did mistake when i was doing the packet capture and i realized that too late, anyway when i capture more the 100 packets (default) i see ISAKMP and ESP under WAN. Now the only question is why the rule for matching IPSEC is not working on the WAN, or precisely why it is not matching UDP 500 or UDP 4500 or ESP. Is there anything that could prevent that?

I was able to work around this by utilizing a VTI tunnel instead, using that VTI as default gateway, in parallel with static route for 192.168.0.0/24 to head to home router. Bi-directions firewall rules allowing WAN/LAN traffic.

...adding that I now see the same "query policy ... in failed..." messages for working VTI tunnels, so that message may be a red herring as far as this issue.

@jimp I don't know about the ID, I have used the same config long time and it was was made following the netgate/pfsense guide how to setup ipsec. It's working now after clearing and re-enter the config :) Thank you for taking your time to answer

@stephenw10 any ideas?

@yathus said in Multiple VTI IPSEC tunnels with /30 on same 192.168.X.0 ?: May be it's because one my client is not on latest version ? (2.4.4-p2) That is likely the case. Some older versions didn't properly respect the configured subnet mask for VTI interfaces. Update both to a current version and try again.

Bump. Still haven't been able to figure this out.

Maybe an example of a running Cisco pfSense VTI tunnel connection with dynmaic routing helps: Cisco-pfSense with VTI Unfortunately in German but ist pretty self explaining.

Maybe it helps... You can find a running Cisco pfSense VPN configuration here: Cisco-pfSense with VTI Unfortunately in German but the screenshot and config is pretty self explaining.

feature request created: https://redmine.pfsense.org/issues/11211

@Ziomalski do you have any further ideas here?