Do both users come from the same (public) IP? Then this is normal. IPSec cannot distinguish them.
Try one from a different IP, for example via WIFI tethering from your mobile phone.
This really drove me crazy on my CRS328-24P-4S+*) crs3xx - fixed tagged packet forwarding without VLAN filtering (introduced in 6.42.6);
Even in CAPsMAN! \o/*) wireless - added option to disable PMKID for WPA2;
Sure. No big issue...I feel your painbut hope MT guys will fix more serious things first.