So, at last I had the gut to start updating some remote systems from a bit older, but 'stable' 6.49.6 to somewhat newer, but considered 'stable' some time ago 7.1.5. Ipsec site2site stopped working for me. I didn't change any settings (both sides are rb4001, aes256-gcm) and the weird thing is, IPsec seems to set up fine (endpoint is present in active peers, I can see 6 SAs - I'm using 3 different P2 policies), and... pinging the other side works.
The odd thing is, TCP traffic doesn't work as it should - the connection seems to establish (SYN, SYN/ACK, ACK) but I can't see the server greeting from the other side (tried with multiple servers, multiple services - telnet, http, https). At first I though there might be some MSS issue so i limited the MSS to 1300, but no luck.
Here is where it gets tricky... I enabled 'all traffic' in firewall with enabled logging, and the return traffic (stuff that the server should send back) is identified as 'new traffic' even though I assume it should be identified as a part of an established session.
Rolling back remote site from v7.1.5 to v6.49.6 resolves the issue.