So the
connection print shows no hidden src-nat/masquerade rule is the culprit as the
reply-dst-address is the same like the
src-address.
With the installed SAs, I assume it's one pair per policy hence 4 for 2 policies? That being the case, it looks like the counters are increasing on the pair for the 192.168.255.x subnets, but those associated to the 172.16.x.x counters are not changing.
The thing is that you cannot know which pair of SAs is linked to which policy by any indicator. You would have to disable the policy for 192.168 to be sure. But a question - what
level is set on the individual policies,
require or
unique? And is the
level the same at both ends? The thing is that
unique causes strict use and checking of the particular SA per policy (so packets which come through a wrong SA are dropped), whereas
require uses and allows any of the SAs between the peers to be used. So if this setting doesn't match between the peers, it could be the explanation.
The pace of packet count growth is another way to see whether it's the pings that is being forwarded through the SA - if the ping is stopped and the packet count keeps growing when you run the
/ip ipsec installed-sa print with
interval=1s, it means some other traffic is sent via that SA. If that other traffic is sufficiently low and stable, pinging with
interval=30ms might help as it would add 33 more packets per second instead of just one.
I presume the current byte count (not increasing in either direction) relates to when the tunnel was first established.
The SAs normally get replaced by ones every about 30 minutes by default, so the fact that the silent one did count some packets in the past is suspicious. Some traffic must have been sent down that SA during past 30 minutes at maximum.