Screen OS

Hello,

Please, excuse me if a similar question has been asked already. Since few days I am trying to establish Dial-up VPN  connection to my SSG 5 (Hardware Version: 710(0); Firmware Version: 6.3.0r16a.0 (Firewall+VPN)), but I am not able to. As per the logs I can see that the connection drops on the 1st phase. Please find below the debug output from the client:

14/03/03 11:55:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
14/03/03 11:55:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
14/03/03 11:55:18 ii : rebuilding vnet device list ...
14/03/03 11:55:18 ii : device ROOT\VNET\0000 disabled
14/03/03 11:55:18 ii : network process thread begin ...
14/03/03 11:55:18 ii : pfkey process thread begin ...
14/03/03 11:55:18 ii : ipc server process thread begin ...
14/03/03 11:55:20 !! : unable to connect to pfkey interface
14/03/03 11:55:43 ii : ipc client process thread begin ...
14/03/03 11:55:43 <A : peer config add message
14/03/03 11:55:43 <A : proposal config message
14/03/03 11:55:43 <A : proposal config message
14/03/03 11:55:43 <A : client config message
14/03/03 11:55:43 <A : xauth username message
14/03/03 11:55:43 <A : xauth password message
14/03/03 11:55:43 <A : local id 'user@domain.info' message
14/03/03 11:55:43 <A : preshared key message
14/03/03 11:55:43 <A : remote resource message
14/03/03 11:55:43 <A : remote resource message
14/03/03 11:55:43 <A : peer tunnel enable message
14/03/03 11:55:43 DB : peer added ( obj count = 1 )
14/03/03 11:55:43 ii : local address 172.17.0.101 selected for peer
14/03/03 11:55:43 DB : tunnel added ( obj count = 1 )
14/03/03 11:55:43 DB : new phase1 ( ISAKMP initiator )
14/03/03 11:55:43 DB : exchange type is aggressive
14/03/03 11:55:43 DB : 172.17.0.101:500 <-> XXX.XXX.9.33:500
14/03/03 11:55:43 DB : 35dd198b8accfb17:0000000000000000
14/03/03 11:55:43 DB : phase1 added ( obj count = 1 )
14/03/03 11:55:43 >> : security association payload
14/03/03 11:55:43 >> : - proposal #1 payload
14/03/03 11:55:43 >> : -- transform #1 payload
14/03/03 11:55:43 >> : key exchange payload
14/03/03 11:55:43 >> : nonce payload
14/03/03 11:55:43 >> : identification payload
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports XAUTH
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports nat-t ( draft v00 )
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports nat-t ( draft v01 )
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports nat-t ( draft v02 )
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports nat-t ( draft v03 )
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports nat-t ( rfc )
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local supports FRAGMENTATION
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local is SHREW SOFT compatible
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local is NETSCREEN compatible
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local is SIDEWINDER compatible
14/03/03 11:55:43 >> : vendor id payload
14/03/03 11:55:43 ii : local is CISCO UNITY compatible
14/03/03 11:55:43 >= : cookies 35dd198b8accfb17:0000000000000000
14/03/03 11:55:43 >= : message 00000000
14/03/03 11:55:43 -> : send IKE packet 172.17.0.101:500 -> XXX.XXX.9.33:500 ( 517 bytes )
14/03/03 11:55:43 DB : phase1 resend event scheduled ( ref count = 2 )
14/03/03 11:55:43 <- : recv IKE packet XXX.XXX.9.33:500 -> 172.17.0.101:500 ( 64 bytes )
14/03/03 11:55:43 DB : phase1 found
14/03/03 11:55:43 ii : processing informational packet ( 64 bytes )
14/03/03 11:55:43 =< : cookies 35dd198b8accfb17:761c20972bd23752
14/03/03 11:55:43 =< : message 00000000
14/03/03 11:55:43 << : notification payload
14/03/03 11:55:43 ii : received peer NO-PROPOSAL-CHOSEN notification
14/03/03 11:55:43 ii : - XXX.XXX.9.33:500 -> 172.17.0.101:500
14/03/03 11:55:43 ii : - isakmp spi = 35dd198b8accfb17:761c20972bd23752
14/03/03 11:55:43 ii : - data size 8
14/03/03 11:55:48 -> : resend 1 phase1 packet(s) [0/2] 172.17.0.101:500 -> XXX.XXX.9.33:500
14/03/03 11:55:48 <- : recv IKE packet XXX.XXX.9.33:500 -> 172.17.0.101:500 ( 64 bytes )
14/03/03 11:55:48 DB : phase1 found
14/03/03 11:55:48 ii : processing informational packet ( 64 bytes )
14/03/03 11:55:48 =< : cookies 35dd198b8accfb17:e6d979cd7579a65f
14/03/03 11:55:48 =< : message 00000000
14/03/03 11:55:48 << : notification payload
14/03/03 11:55:48 ii : received peer NO-PROPOSAL-CHOSEN notification
14/03/03 11:55:48 ii : - XXX.XXX.9.33:500 -> 172.17.0.101:500
14/03/03 11:55:48 ii : - isakmp spi = 35dd198b8accfb17:e6d979cd7579a65f
14/03/03 11:55:48 ii : - data size 8
14/03/03 11:55:53 -> : resend 1 phase1 packet(s) [1/2] 172.17.0.101:500 -> XXX.XXX.9.33:500
14/03/03 11:55:53 <- : recv IKE packet XXX.XXX.9.33:500 -> 172.17.0.101:500 ( 64 bytes )
14/03/03 11:55:53 DB : phase1 found
14/03/03 11:55:53 ii : processing informational packet ( 64 bytes )
14/03/03 11:55:53 =< : cookies 35dd198b8accfb17:48b0969bd0486bcf
14/03/03 11:55:53 =< : message 00000000
14/03/03 11:55:53 << : notification payload
14/03/03 11:55:53 ii : received peer NO-PROPOSAL-CHOSEN notification
14/03/03 11:55:53 ii : - XXX.XXX.9.33:500 -> 172.17.0.101:500
14/03/03 11:55:53 ii : - isakmp spi = 35dd198b8accfb17:48b0969bd0486bcf
14/03/03 11:55:53 ii : - data size 8
14/03/03 11:55:58 -> : resend 1 phase1 packet(s) [2/2] 172.17.0.101:500 -> XXX.XXX.9.33:500
14/03/03 11:55:58 <- : recv IKE packet XXX.XXX.9.33:500 -> 172.17.0.101:500 ( 64 bytes )
14/03/03 11:55:58 DB : phase1 found
14/03/03 11:55:58 ii : processing informational packet ( 64 bytes )
14/03/03 11:55:58 =< : cookies 35dd198b8accfb17:bf05f917455d62a4
14/03/03 11:55:58 =< : message 00000000
14/03/03 11:55:58 << : notification payload
14/03/03 11:55:58 ii : received peer NO-PROPOSAL-CHOSEN notification
14/03/03 11:55:58 ii : - XXX.XXX.9.33:500 -> 172.17.0.101:500
14/03/03 11:55:58 ii : - isakmp spi = 35dd198b8accfb17:bf05f917455d62a4
14/03/03 11:55:58 ii : - data size 8
14/03/03 11:56:03 ii : resend limit exceeded for phase1 exchange
14/03/03 11:56:03 ii : phase1 removal before expire time
14/03/03 11:56:03 DB : phase1 deleted ( obj count = 0 )
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : policy not found
14/03/03 11:56:03 DB : removing tunnel config references
14/03/03 11:56:03 DB : removing tunnel phase2 references
14/03/03 11:56:03 DB : removing tunnel phase1 references
14/03/03 11:56:03 DB : tunnel deleted ( obj count = 0 )
14/03/03 11:56:03 DB : removing all peer tunnel references
14/03/03 11:56:03 DB : peer deleted ( obj count = 0 )
14/03/03 11:56:03 ii : ipc client process thread exit ..

Also the debug from the SSG5:

## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> ike packet, len 517, action 1
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Catcher: received 489 bytes from socket.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Catcher: get 489 bytes. src port 500
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   ISAKMP msg: len 489, nxp 1[SA], exch 4[AG], flag 00
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:24 : [VID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:24 : valid id checking, id type:U-FQDN, len:29.
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >     Validate (461): SA/56 KE/132 NONCE/24 ID/29 VID/12 VID/20 VID/20 VID/20 VID/20
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Receive Id in AG mode, id-type=3, id=user@domain.info, idlen = 21
## 2014-03-03 12:03:24 :   locate peer entry for (3/user@domain.info), by identity.
## 2014-03-03 12:03:24 :   Found identity<user@domain.info> in group <1> user id <1>.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Found peer entry (Dialup GW) from XXX.XXX.28.98.
## 2014-03-03 12:03:24 : responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:24 : init p1sa, pidt = 0x0
## 2014-03-03 12:03:24 : change peer identity for p1 sa, pidt = 0x0
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   create peer identity 0x44bdd00
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <1>
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <2>
## 2014-03-03 12:03:24 : peer identity 44bdd00 created.
## 2014-03-03 12:03:24 : IKE<0.0.0.0        >   EDIPI disabled
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> getProfileFromP1Proposal->
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Phase 1: Responder starts AGGRESSIVE mode negotiations.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> AG in state OAK_AG_NOSTATE.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 09 00 26 89 df d6 b7 12
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv XAUTH v6.0 vid
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 16 f6 ca 16 e4 a4 06 6d  83 82 1a 0f 0a ea a8 62
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 7d 94 19 a6 53 10 ca 6f  2c 17 9d 92 15 52 9d 56
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 4a 13 1c 81 07 03 58 45  5c 57 28 f2 0e 95 45 2f
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 40 48 b7 d5 6e bc e8 85  25 e7 de 7f 00 d6 c2 d3
## 2014-03-03 12:03:24 : 80 00 00 00
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : f1 4b 94 b7 bf f1 fe f0  27 73 b8 c4 9f ed ed 26
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 16 6f 93 2d 55 eb 64 d8  e4 df 4f d3 7e 23 13 f0
## 2014-03-03 12:03:24 : d0 fd 84 51
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 84 04 ad f9 cd a0 57 60  b2 ca 29 2e 4b ff 53 7b
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:24 : 12 f5 f2 8c 45 71 68 a9  70 2d 9f e2 74 cc 01 00
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [SA]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Proposal received: xauthflag 1
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> xauth attribute: initiator
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> [0] expect: xauthflag 0
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> xauth attribute: disabled
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Phase 1: Rejected proposals from peer. Negotiations failed.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Construct ISAKMP header.
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Msg header built (next payload #11)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98   > Xmit : [NOTIF]
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Responder sending IPv4 IP XXX.XXX.28.98/port 500
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Send Phase 1 packet (len=64)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> IKE msg done: PKI state<0> IKE state<0/10800>
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> ike packet, len 517, action 1
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Catcher: received 489 bytes from socket.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Catcher: get 489 bytes. src port 500
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   ISAKMP msg: len 489, nxp 1[SA], exch 4[AG], flag 00
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:29 : [VID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:29 : valid id checking, id type:U-FQDN, len:29.
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >     Validate (461): SA/56 KE/132 NONCE/24 ID/29 VID/12 VID/20 VID/20 VID/20 VID/20
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Receive Id in AG mode, id-type=3, id=user@domain.info, idlen = 21
## 2014-03-03 12:03:29 :   locate peer entry for (3/user@domain.info), by identity.
## 2014-03-03 12:03:29 :   Found identity<user@domain.info> in group <1> user id <1>.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Found peer entry (Dialup GW) from XXX.XXX.28.98.
## 2014-03-03 12:03:29 : responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:29 : init p1sa, pidt = 0x0
## 2014-03-03 12:03:29 : change peer identity for p1 sa, pidt = 0x0
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   create peer identity 0x44be268
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <2>
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <3>
## 2014-03-03 12:03:29 : peer identity 44be268 created.
## 2014-03-03 12:03:29 : IKE<0.0.0.0        >   EDIPI disabled
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> getProfileFromP1Proposal->
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Phase 1: Responder starts AGGRESSIVE mode negotiations.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> AG in state OAK_AG_NOSTATE.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 09 00 26 89 df d6 b7 12
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv XAUTH v6.0 vid
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 16 f6 ca 16 e4 a4 06 6d  83 82 1a 0f 0a ea a8 62
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 7d 94 19 a6 53 10 ca 6f  2c 17 9d 92 15 52 9d 56
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 4a 13 1c 81 07 03 58 45  5c 57 28 f2 0e 95 45 2f
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 40 48 b7 d5 6e bc e8 85  25 e7 de 7f 00 d6 c2 d3
## 2014-03-03 12:03:29 : 80 00 00 00
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : f1 4b 94 b7 bf f1 fe f0  27 73 b8 c4 9f ed ed 26
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 16 6f 93 2d 55 eb 64 d8  e4 df 4f d3 7e 23 13 f0
## 2014-03-03 12:03:29 : d0 fd 84 51
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 84 04 ad f9 cd a0 57 60  b2 ca 29 2e 4b ff 53 7b
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:29 : 12 f5 f2 8c 45 71 68 a9  70 2d 9f e2 74 cc 01 00
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Process [SA]:
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Proposal received: xauthflag 1
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> xauth attribute: initiator
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> [0] expect: xauthflag 0
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> xauth attribute: disabled
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Phase 1: Rejected proposals from peer. Negotiations failed.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Construct ISAKMP header.
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Msg header built (next payload #11)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98   > Xmit : [NOTIF]
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Responder sending IPv4 IP XXX.XXX.28.98/port 500
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> Send Phase 1 packet (len=64)
## 2014-03-03 12:03:29 : IKE<XXX.XXX.28.98> IKE msg done: PKI state<0> IKE state<0/10800>
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> ike packet, len 517, action 1
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Catcher: received 489 bytes from socket.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Catcher: get 489 bytes. src port 500
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   ISAKMP msg: len 489, nxp 1[SA], exch 4[AG], flag 00
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:34 : [VID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:34 : valid id checking, id type:U-FQDN, len:29.
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >     Validate (461): SA/56 KE/132 NONCE/24 ID/29 VID/12 VID/20 VID/20 VID/20 VID/20
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Receive Id in AG mode, id-type=3, id=user@domain.info, idlen = 21
## 2014-03-03 12:03:34 :   locate peer entry for (3/user@domain.info), by identity.
## 2014-03-03 12:03:34 :   Found identity<user@domain.info> in group <1> user id <1>.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Found peer entry (Dialup GW) from XXX.XXX.28.98.
## 2014-03-03 12:03:34 : responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:34 : init p1sa, pidt = 0x0
## 2014-03-03 12:03:34 : change peer identity for p1 sa, pidt = 0x0
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   create peer identity 0x44be51c
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <3>
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <4>
## 2014-03-03 12:03:34 : peer identity 44be51c created.
## 2014-03-03 12:03:34 : IKE<0.0.0.0        >   EDIPI disabled
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> getProfileFromP1Proposal->
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Phase 1: Responder starts AGGRESSIVE mode negotiations.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> AG in state OAK_AG_NOSTATE.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 09 00 26 89 df d6 b7 12
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv XAUTH v6.0 vid
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 16 f6 ca 16 e4 a4 06 6d  83 82 1a 0f 0a ea a8 62
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 7d 94 19 a6 53 10 ca 6f  2c 17 9d 92 15 52 9d 56
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 4a 13 1c 81 07 03 58 45  5c 57 28 f2 0e 95 45 2f
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 40 48 b7 d5 6e bc e8 85  25 e7 de 7f 00 d6 c2 d3
## 2014-03-03 12:03:34 : 80 00 00 00
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : f1 4b 94 b7 bf f1 fe f0  27 73 b8 c4 9f ed ed 26
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 16 6f 93 2d 55 eb 64 d8  e4 df 4f d3 7e 23 13 f0
## 2014-03-03 12:03:34 : d0 fd 84 51
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 84 04 ad f9 cd a0 57 60  b2 ca 29 2e 4b ff 53 7b
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:34 : 12 f5 f2 8c 45 71 68 a9  70 2d 9f e2 74 cc 01 00
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Process [SA]:
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Proposal received: xauthflag 1
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> xauth attribute: initiator
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> [0] expect: xauthflag 0
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> xauth attribute: disabled
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Phase 1: Rejected proposals from peer. Negotiations failed.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Construct ISAKMP header.
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Msg header built (next payload #11)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98   > Xmit : [NOTIF]
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Responder sending IPv4 IP XXX.XXX.28.98/port 500
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> Send Phase 1 packet (len=64)
## 2014-03-03 12:03:34 : IKE<XXX.XXX.28.98> IKE msg done: PKI state<0> IKE state<0/10800>
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> ike packet, len 517, action 1
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Catcher: received 489 bytes from socket.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> ****** Recv packet if <ethernet0/0> of vsys <Root> ******
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Catcher: get 489 bytes. src port 500
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   ISAKMP msg: len 489, nxp 1[SA], exch 4[AG], flag 00
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   > Recv : [SA] [KE] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:39 : [VID] [VID] [VID] [VID] [VID] [VID]
## 2014-03-03 12:03:39 : valid id checking, id type:U-FQDN, len:29.
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >     Validate (461): SA/56 KE/132 NONCE/24 ID/29 VID/12 VID/20 VID/20 VID/20 VID/20
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Receive Id in AG mode, id-type=3, id=user@domain.info, idlen = 21
## 2014-03-03 12:03:39 :   locate peer entry for (3/user@domain.info), by identity.
## 2014-03-03 12:03:39 :   Found identity<user@domain.info> in group <1> user id <1>.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Found peer entry (Dialup GW) from XXX.XXX.28.98.
## 2014-03-03 12:03:39 : responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:39 : init p1sa, pidt = 0x0
## 2014-03-03 12:03:39 : change peer identity for p1 sa, pidt = 0x0
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   create peer identity 0x44be7d0
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <4>
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <5>
## 2014-03-03 12:03:39 : peer identity 44be7d0 created.
## 2014-03-03 12:03:39 : IKE<0.0.0.0        >   EDIPI disabled
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> getProfileFromP1Proposal->
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> find profile[0]=<00000005 00000002 00000001 00000002> for p1 proposal (id 5), xauth(0)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> responder create sa: XXX.XXX.28.98->XXX.XXX.9.33
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Phase 1: Responder starts AGGRESSIVE mode negotiations.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> AG in state OAK_AG_NOSTATE.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 09 00 26 89 df d6 b7 12
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv XAUTH v6.0 vid
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 44 85 15 2d 18 b6 bb cd  0b e8 a8 46 95 79 dd cc
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-00).
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 16 f6 ca 16 e4 a4 06 6d  83 82 1a 0f 0a ea a8 62
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 7d 94 19 a6 53 10 ca 6f  2c 17 9d 92 15 52 9d 56
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 4a 13 1c 81 07 03 58 45  5c 57 28 f2 0e 95 45 2f
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 40 48 b7 d5 6e bc e8 85  25 e7 de 7f 00 d6 c2 d3
## 2014-03-03 12:03:39 : 80 00 00 00
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : f1 4b 94 b7 bf f1 fe f0  27 73 b8 c4 9f ed ed 26
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 16 6f 93 2d 55 eb 64 d8  e4 df 4f d3 7e 23 13 f0
## 2014-03-03 12:03:39 : d0 fd 84 51
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> receive unknown vendor ID payload
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 84 04 ad f9 cd a0 57 60  b2 ca 29 2e 4b ff 53 7b
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [VID]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   >   Vendor ID:
## 2014-03-03 12:03:39 : 12 f5 f2 8c 45 71 68 a9  70 2d 9f e2 74 cc 01 00
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> rcv non-NAT-Traversal VID payload.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Process [SA]:
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Proposal received: xauthflag 1
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> xauth attribute: initiator
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> [0] expect: xauthflag 0
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> xauth attribute: disabled
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Phase 1: Rejected proposals from peer. Negotiations failed.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Construct ISAKMP header.
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Msg header built (next payload #11)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98   > Xmit : [NOTIF]
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Responder sending IPv4 IP XXX.XXX.28.98/port 500
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> Send Phase 1 packet (len=64)
## 2014-03-03 12:03:39 : IKE<XXX.XXX.28.98> IKE msg done: PKI state<0> IKE state<0/10800>
## 2014-03-03 12:03:44 : reap_db. deleting p1sa 2a4e408
## 2014-03-03 12:03:44 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> xauth_cleanup()
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> Done cleaning up IKE Phase 1 SA
## 2014-03-03 12:03:44 : peer_identity_unregister_p1_sa.
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   delete peer identity 0x44be7d0
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   peer_identity_remove_from_peer: num entry before remove <5>
## 2014-03-03 12:03:44 : peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted.
## 2014-03-03 12:03:44 : reap_db. deleting p1sa 2a4ccd4
## 2014-03-03 12:03:44 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> xauth_cleanup()
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> Done cleaning up IKE Phase 1 SA
## 2014-03-03 12:03:44 : peer_identity_unregister_p1_sa.
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   delete peer identity 0x44be51c
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   peer_identity_remove_from_peer: num entry before remove <4>
## 2014-03-03 12:03:44 : peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted.
## 2014-03-03 12:03:44 : reap_db. deleting p1sa 2a4d61c
## 2014-03-03 12:03:44 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> xauth_cleanup()
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> Done cleaning up IKE Phase 1 SA
## 2014-03-03 12:03:44 : peer_identity_unregister_p1_sa.
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   delete peer identity 0x44be268
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   peer_identity_remove_from_peer: num entry before remove <3>
## 2014-03-03 12:03:44 : peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted.
## 2014-03-03 12:03:44 : reap_db. deleting p1sa 2a4c830
## 2014-03-03 12:03:44 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> xauth_cleanup()
## 2014-03-03 12:03:44 : IKE<XXX.XXX.28.98> Done cleaning up IKE Phase 1 SA
## 2014-03-03 12:03:44 : peer_identity_unregister_p1_sa.
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   delete peer identity 0x44bdd00
## 2014-03-03 12:03:44 : IKE<0.0.0.0        >   peer_identity_remove_from_peer: num entry before remove <2>
## 2014-03-03 12:03:44 : peer_idt.c peer_identity_unregister_p1_sa 686: pidt deleted.

Any advise will be highly appriciated

Thank you!

The key message here is likely "NO-PROPOSAL-CHOSEN" message.  This generally means that the crypto package selections on the firewall and on the Shrew client are not a match.  You need to double check those selections an probably make an adjustment on one site.

Check out kb6168

http://kb.juniper.net/InfoCenter/index?page=content&id=KB6168

Hello,

Thank you for your reply

Just to make sure I understand correctly, the problem is not related to Phase1, but Phase2?

I got confused because of the error message from the SSG5:

Rejected an IKE packet on ethernet0/0 from 84.242.191.2:38175 to 188.126.9.33:500 with cookies 101b6687cb47f54d and 6d66721c1402bd3a because There were no acceptable Phase 1 proposals.

Please LMK for which phase I need to change the proposals

Thank you!

It never hurts to check both.  But in my experience this looks like a phase 2 mis-match.

Hello Steve,

Thank you for your suggestion

I check both Phase1 and 2 settings even tried with different ones but still getting the same error

Are the messages in the log any different?

Is this the setup guide you are using for the configuration?

https://www.shrew.net/support/Howto_Juniper_SSG

Hi,

Phase-1 is failing:

## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Process [SA]:
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Proposal received: xauthflag 1
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> xauth attribute: initiator
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> [0] expect: xauthflag 0
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> auth(1)<PRESHRD>, encr(5)<3DES>, hash(2)<SHA>, group(2)
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> xauth attribute: disabled
## 2014-03-03 12:03:24 : IKE<XXX.XXX.28.98> Phase 1: Rejected proposals from peer. Negotiations failed.

Looks like you have enabled XAuth on Shrew, while it is not enabled on the firewall gateway setting. Try enabling Xauth.

Check the article shared by Steve (https://www.shrew.net/support/Howto_Juniper_SSG) --> 

Define Xauth Parameters

Hello,

Thank you for your suggestion

Unfortunately on the provided URL I was unable to find anything related to the XAUTH configuration on the SSG5. Please find below my current cfg:

unset key protection enable
set clock timezone 1
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "username"
set admin password "password"
set admin manager-ip XX.XX.28.98
set admin ssh port 22
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Servers"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "Servers" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Servers"
set interface bgroup0 port ethernet0/2
set interface bgroup1 port ethernet0/3
unset interface vlan1 ip
set interface ethernet0/0 ip XX.XX.9.33/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.10.20.1/24
set interface ethernet0/1 nat
set interface bgroup0 ip 192.169.0.1/24
set interface bgroup0 nat
set interface bgroup1 ip 192.168.20.1/24
set interface bgroup1 route
set interface ethernet0/0 gateway XX.XX.9.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
unset interface bgroup1 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
unset interface bgroup0 manage telnet
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip XX.XX.9.34 host 192.169.0.10 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname device
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 XX.XX.0.2 src-interface ethernet0/0
set dns host dns2 8.8.8.8 src-interface ethernet0/0
set dns host dns3 8.8.4.4 src-interface ethernet0/0
set address "Trust" "192.169.0.0/24" 192.169.0.0 255.255.255.0
set address "Trust" "Private network 192.169.0.0/24" 192.169.0.0 255.255.255.0
set address "Trust" "Xen mgmt" 192.169.0.10 255.255.255.255
set address "Untrust" "XX.XX.28.98" XX.XX.28.98 255.255.255.255
set ippool "Dial-up VPN" 10.20.30.2 10.20.30.3
set user "user" uid 1
set user "user" ike-id u-fqdn "user@domain.info" share-limit 1
set user "user" type ike xauth
set user "user" remote ippool "Dial-up VPN"
set user "user" password "password"
unset user "user" type auth
set user "user" "enable"
set user "user2" uid 2
set user "user2" ike-id u-fqdn "user2@domain.info" share-limit 1
set user "user2" type ike
set user "user2" "enable"
set user-group "Dial-up VPN" id 1
set user-group "Dial-up VPN" user "user"
set crypto-policy
exit
set ike gateway "Dialup GW" dialup "Dial-up VPN" Aggr outgoing-interface "ethernet0/0" preshare "psk" proposal "pre-g2-3des-sha"
unset ike gateway "Dialup GW" nat-traversal udp-checksum
set ike gateway "Dialup GW" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "Dial-up VPN"
set xauth default dns1 XX.XX.0.2
set xauth default dns2 8.8.8.8
set vpn "Dialup VPN" gateway "Dialup GW" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set url protocol websense
exit
set policy id 8 from "Untrust" to "Trust"  "Dial-Up VPN" "192.169.0.0/24" "ANY" tunnel vpn "Dialup VPN" id 0x2 log
set policy id 8
exit
set policy id 7 from "Trust" to "Untrust"  "Xen mgmt" "XX.XX.28.98" "ANY" permit log
set policy id 7
exit
set policy id 6 from "Untrust" to "Global"  "XX.XX.28.98" "MIP(XX.XX.9.34)" "ANY" permit log
set policy id 6
exit
set policy id 5 from "Trust" to "Untrust"  "192.169.0.0/24" "Any" "ANY" permit log
set policy id 5
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" deny
set policy id 1
exit
set policy id 2 name "Block all" from "Untrust" to "Trust"  "Any" "Any" "ANY" deny
set policy id 2
exit
set policy id 3 name "Deny all" from "Untrust" to "Global"  "Any" "Any" "ANY" deny
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162102006001112"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Thanks!

Gokul is correct, you don't have XAuth enabled on your gateway. Try either the following command:

set ike gateway "Dialup GW" xauth

Or, if you prefer the WebUI, navigate to VPNs -> AutoKey Advanced -> Gateway, click the 'Xauth' link for your dialup GW, select the 'XAuth Server' and 'Generic' radio buttons, then 'OK'.

Thank you Spud...

Vladimir,

Please check https://www.shrew.net/support/Howto_Juniper_SSG again. It is under area 3.4 - Define Xauth Parameters ( https://www.shrew.net/support/Howto_Juniper_SSG#Define_Xauth_Parameters )

Hello,

I would like to thank everyone participating in this thread and assisting on this matter

Indeed this was the problem and it is now fixed

Really appriciated!