IP Security not working with OS v3.24

RouterOS Forwarding Protocols
1

I have updated two RBs, that are setup with a VPN between them, with v3.24. The VPN worked fine with v2.9x but now it doesn’t. As part of my fault diagnostic I have observed the following log on one of the RB when I ping the other RB.

echo: ipsec initiate new phase 2 negotiation: 218.185.225.70[500]<=>218.185.226.17[500]
[admin@771] > 
echo: ipsec 218.185.226.17 give up to get IPsec-SA due to time up to wait.
echo: ipsec IPsec-SA expired: ESP/Tunnel 218.185.226.17[0]->218.185.225.70[0] spi=146250513(0x8b79b11)

The pings are either timming out or showing packet rejected.
Below is the Route table for both RBs:

[admin@771] > ip route print  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                    DISTANCE INTERFACE          
 0 A S  0.0.0.0/0                          reachable     218.185.225.1              1        wlan1              
 1 ADC  192.168.1.0/24     192.168.1.254                                            0        ether1             
 2 A S  192.168.3.0/24                     reachable     192.168.1.254              1        ether1             
 3 ADC  218.185.225.0/24   218.185.225.70                                           0        wlan1


[admin@519] > ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY-STATE GATEWAY                                              DISTANCE INTERFACE                                     
 0 A S  0.0.0.0/0                          reachable     218.185.226.1                                        1        wlan1                                         
 1 ADC  10.254.0.0/16      10.254.0.4                                                                         0        wlan1                                         
 2 A S  192.168.1.0/24                     reachable     192.168.3.254                                        1        ether1                                        
 3 ADC  192.168.3.0/24     192.168.3.254                                                                      0        ether1                                        
 4 ADC  218.185.226.0/24   218.185.226.17                                                                     0        wlan1

I also had Torch running on the wlan1 interfaces on both RBs while sending pings both ways. It would every now and then display the fact the pings would leave the interface and it seemed to only do this when the IPsec-SA expired.

I did see on another forum post that there maybe a bug with IPSEC on v3.x. However that was posted in March this year. Does anyone know if this is still the case as the latest versions have come out since then?

Below is the IPSEC setup and data after a ping test on both RBs:

[admin@771] > ip ipsec policy print 
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.1.0/24:any dst-address=192.168.3.0/24:any protocol=all action=encrypt level=require 
     ipsec-protocols=esp tunnel=yes sa-src-address=218.185.225.70 sa-dst-address=218.185.226.17 
     proposal=default priority=0 
[admin@771] > ip ipsec peer print   
Flags: X - disabled 
 0   address=218.185.226.17/32:500 auth-method=pre-shared-key secret="c3b6a912261ef6cd964b4a1762b393ca85db9860" 
     generate-policy=no exchange-mode=aggressive send-initial-contact=yes nat-traversal=no proposal-check=obey 
     hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd 
     dpd-maximum-failures=1 
[admin@771] > ip ipsec proposal print 
Flags: X - disabled 
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 


[admin@519] > ip ipsec policy print 
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.3.0/24:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
     sa-src-address=218.185.226.17 sa-dst-address=218.185.225.70 proposal=default priority=0 
[admin@519] > ip ipsec peer print   
Flags: X - disabled 
 0   address=218.185.225.70/32:500 auth-method=pre-shared-key secret="c3b6a912261ef6cd964b4a1762b393ca85db9860" generate-policy=no exchange-mode=aggressive 
     send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 
     dpd-interval=disable-dpd dpd-maximum-failures=5 
[admin@519] > ip ipsec proposal print 
Flags: X - disabled 
 0   name="default" auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128 lifetime=30m pfs-group=modp768 
[admin@519] > ip ipsec installed-sa print 
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0xA966D37 src-address=218.185.225.70 dst-address=218.185.226.17 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="b247a0fef64bc53de830f0fcb6b02d75ac079af3" enc-key="f4fcd2ad32c8ee1ba252dc8f388b9b346f8889d8e1cc5ef5" add-lifetime=24m/30m use-lifetime=0s/0s 
      lifebytes=0/0 

 1 E  spi=0xF98B93D src-address=218.185.226.17 dst-address=218.185.225.70 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature 
      auth-key="ae2c9ab24d1eb28710722d5b3a7864c6bd3748b2" enc-key="da07ea3a9daa24e4e6301cabe04d6e835c29773616cb28e8" add-lifetime=24m/30m use-lifetime=0s/0s 
      lifebytes=0/0 
[admin@519] > ip ipsec remote-peers print 
 0 local-address=218.185.226.17 remote-address=218.185.225.70 state=established side=initiator established=5h5m9s

Any feed back would be helpful as I have spent all day on this and now need help.