User data packets are dropped until the IPsec connection is established. ICMP “admin prohibited” packets are sent back to the source address. The ping response is “Packet filtered”.
There is only one instance of the SA under normal conditions. When the key exchange is in process, two instances may exist at the same moment. The connection can be duplicated in certain circumstances. It should not cause any problems for user traffic. On the other hand, it consumes system resources and increases network overhead.
When the “SA lifetime” expires and the connection is broken, the “Diffie-Hellman group” is probably set up incorrectly.
Is the IKE version the same on both tunnel end-points?
Did you configure a correct “Peer address” on both end-points?
Are the “Local ID” and “Peer ID” correct on both end-points and do they correspond to each other? I.e. On the second unit, the values must be the same, but switched.
Are the “Traffic selectors” correct on both end-points and do they correspond to each other? The selectors must always be paired – via switching the “Local” and “Remote” networks.
Are all the IKE parameters the same on both end-points? (Encryption algorithm, Integrity algorithm, Diffie-Hellman group)
Are all the IPsec parameters the same on both end-points (child SA)?
Are you really sure the parameters are the same? Might be difficult to spot some parameters in other vendors’ routers such as CISCO, Mikrotik, Fortigate and others…
Is the PSK configured the same on both end-points? Did you fill the hexadecimal number (“Key”) instead of text (“Pass phrase”)?