Thanks for the replies!
I'd look at keepalive mechanisms. If there is no way for the router to detect a tunnel failure, then it will happily send packets via the tunnel that no longer has a valid security association (SA) until the byte counter or tunnel timer expire.
Imagine if router B reboots. It has no knowledge of the tunnel prior to the reboot, so it establishes a new tunnel. However, router A doesn't detect the old tunnel session has been lost. It now has both the old tunnel and the new tunnel established to router B. However, I believe it will continue using the old tunnel until it expires.
Good point, however whenever the issues is there, I always just see one association and it is this exact association that counts up as soon as the sides start sending packets. So I assume that isn't it.
May be something with firewall, exactly rule "RELATED, ESTABLISHED"?
Both sides send packets and awaiting reply, so incoming packet is treated as reply.
Also, do you try only ping or some other traffic?
I think it has to be something around that, but I do not see the flaw.
No connection what so ever is working across the tunnel before both sides send packets. I just use ping to get the connection going (although any kinf of packet does the trick).
The rule set on the central is more complicated, but this is the rule set of the remote site (pretty much the default):
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 ;;; access to router via VPN
chain=input action=accept log=no log-prefix="" ipsec-policy=in,ipsec
3 ;;; access to router via VPN
chain=output action=accept log=no log-prefix="" ipsec-policy=out,ipsec
4 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN