Hi.
I use CRS5125-24G-1S-2HmD-IN and RouterOS v6.19 for IPSec/L2TP hub router.
My settings IPSec Peer:

/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
auth-method=pre-shared-key secret=******
generate-policy=port-strict exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=yes
my-id-user-fqdn="**" hash-algorithm=sha1
enc-algorithm=aes-256 dh-group=modp4096 lifetime=8h
dpd-interval=disable-dpd dpd-maximum-failures=1

And I have 4 Spoke Routers. They biuld IPsec/L2TP tunnel and use dynamic address.

After once week, I have 50 (!!!) dynamic policy on the hub for onle 4 Spoke!
Why don't dynamic policy remove on the hub after reload Spoke?
I can remove this policy if I use "kill-connections".

Enable DPD

I tried to do it.
It didn't help.

UP!

I updated the firmware to the latest version. My issue isn't solve.
The problem occurs after disconnect a spoke (ex. power off)