As per https://forum.vyos.io/t/site-to-site-ipsec-multiple-sa-in-stale-state/9289 - and https://phabricator.vyos.net/T4551
With the current strongswan version (5.9.1) there seems to be the above issues.
I recompiled/created the deb packages on my own for strongswan 5.9.6, starting from dsc and sources for debian testing (available at https://salsa.debian.org/debian/strongswan/-/tree/debian/5.9.6-1 / tag debian/5.9.6-1).
With the newer version, the issue seems resolved.
NOTE: the patches @ https://github.com/vyos/vyos-build/tree/current/packages/strongswan/patches do not apply to the new 5.9.6 tree. However, you can find the updated patches here: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan . my recompiled deb uses these ones.
NOTE: the newer version adds these deb dependencies (already available on the debian stable repo): libtss2-mu0 libtss2-sys1 tpm-udev (plus libtss2-dev for the build phase)