Unfortunately that’s what I do also but that’s not a solution for unstable IPsec tunnel. So again I believe MikroTik has serious issue with IPsec. That’s not a trick to have stable IPsec connection between two mikrotik devices or virtual instances like CHR rather than having stable connection between mikrotik and other provider e.g GCP or AWS (in the second scenario I don’t know if there are the same issues).
MikroTik support have ticket opened for this from 2019 and still no solution. The gave me a incomprehensible suggestion to to disable PFS (when Google Requires that) or maybe I don’t understand what they had in mind
Emīls Z.04/12/19 09:40:03
Hello,Please try the previously suggested workarounds - disabling phase 2 lifetime on MikroTik side and disabling pfs group on MikroTik side. IKEv2 protocol has independent rekeying times so they does not have to match on both sides. Also PFS group can be set to none, there is a reference in the GCP documentation regarding it if you insist on following it despite my recommendations.
“If your VPN gateway requires DH settings for Phase 2, use the same settings you used for Phase 1.”
But settings PFS to none will obviously end up with this
So I don’t know what they suggest and why like so.