Check by netwatch if tunnel works. When it stops responding, remove SAs. It will link again.
As I wrote, if I remove SAs, new SAs will be installed, but the connections remain unusable.
It happens to all connections in the same time. I guess there is nothing wrong with individual SAs, individual peers, and policies. Something seems to affect the whole IPsec function.
If it happens again, I will try to check if packets entering the router from LAN are leaving the router encapsulated on WAN. I have no ideas what else to check.
Do both ends use the very same NTP server?
I had exactly this issue a year ago when my VPN RB was syncing with a different NTP server than the remote peer.
Bringing both on the same NTP server instantly solved the problem.
Very strange. Is there an explanation for this? IMHO, IPsec should work even if they were not sychronized at all.
To answer your question: both ends use NTP, but not the same server. Remote hosts use a random server from a NTP pool for Europe. The router gets its time from the central server on the LAN which in turn is synchronized using the mentioned pool.