That sounds like you haven’t configured IPsec manually but have ticked the “use ipsec” checkbox in L2TP (or GRE before) configuration. Is that the case? The auto-generated IPsec configuration never uses exchange-mode=ike2.
There cannot be a single policy for several users. Either you have a single policy template and an individual policy generated from it for each user, or you really have a single generated policy which most likely means that you connect both users from behind the same public IP address.
To avoid confusion, please export and post your configurations from all three devices following the guidelines in my automatic signature, and post also the output of
/ip ipsec remote-peer print
/ip ipsec policy print
/ip ipsec installed-sa print
while both users are logged in. Obfuscate also the output of these commands systematically (i.e. all occurrences of the same IP address have to be replaced with the same meaningful string to maintain the integrity of information).
A “connection drop-out” may include some firewalls between the IPsec peers to forget the connections, and if the peer “protected” by such firewall only listens and doesn’t actively send anything, the firewall doesn’t let the packets in the active direction in. By flushing the installed-sa or disabling/enabling the policy you trigger the renegotiation, but it again means that you have to do that at the “protected” peer in order that it would create a pinhole in the firewall.
For each of the three devices it is important to know whether it runs a public IP address on itself or whether it is behind some NAT device.