Thank you for your reply, it got me one step ahead. Unfortunately phase1 is still not succesfully connecting. See the IKE debug log:
ssg5-serial-> get db stream
## 2009-02-20 13:49:55 : reap_db. deleting p1sa 256c560
## 2009-02-20 13:49:55 : terminate_SA: trying to delete SA cause: 0 cond: 2
## 2009-02-20 13:49:55 : IKE<10.10.10.134> xauth_cleanup()
## 2009-02-20 13:49:55 : IKE<10.10.10.134> Done cleaning up IKE Phase 1 SA
## 2009-02-20 13:49:55 : peer_identity_unregister_p1_sa.
## 2009-02-20 13:49:55 : IKE<0.0.0.0 > delete peer identity 0x25cafb0
## 2009-02-20 13:49:55 : IKE<0.0.0.0 > peer_identity_remove_from_peer:
num entry before remove <2>
## 2009-02-20 13:49:55 : peer_idt.c peer_identity_unregister_p1_sa 668: pidt del
eted.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ike packet, len 428, action 1
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Catcher: received 400 bytes from sock
et.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ****** Recv packet if <ethernet0/0> o
f vsys <Root> ******
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Catcher: get 400 bytes. src port 500
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > ISAKMP msg: len 400, nxp 1[SA],
exch 4[AG], flag 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Recv : [SA] [KE] [NONCE] [ID] [VID
] [VID] [VID] [VID] [VID]
## 2009-02-20 13:51:13 : [VID]
## 2009-02-20 13:51:13 : valid id checking, id type:U-FQDN, len:24.
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > Validate (372): SA/48 KE/132 N
ONCE/36 ID/24 VID/48 VID/12 VID/20 VID/12 VID/20
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Receive Id in AG mode, id-type=3, id=
vpn@customer.com, idlen = 16
## 2009-02-20 13:51:13 : locate peer entry for (3/vpn@customer.com), by identi
ty.
## 2009-02-20 13:51:13 : Found identity<vpn@customer.com> in group <2> user id
<6>.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Found peer entry (VPN CLIENTS) from 1
0.10.10.134.
## 2009-02-20 13:51:13 : responder create sa: 10.10.10.134->10.10.10.4
## 2009-02-20 13:51:13 : init p1sa, pidt = 0x0
## 2009-02-20 13:51:13 : change peer identity for p1 sa, pidt = 0x0
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > peer_identity_create_with_uid: u
id<0>
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > create peer identity 0x25cafb0
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > peer_identity_add_to_peer: num e
ntry before add <1>
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > peer_identity_add_to_peer: num e
ntry after add <2>
## 2009-02-20 13:51:13 : peer identity 25cafb0 created.
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > EDIPI disabled
## 2009-02-20 13:51:13 : IKE<10.10.10.134> getProfileFromP1Proposal->
## 2009-02-20 13:51:13 : IKE<10.10.10.134> find profile[0]=<00000007 00000002 00
000001 00000002> for p1 proposal (id 7), xauth(1)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder create sa: 10.10.10.134->10
.10.10.4
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1: Responder starts AGGRESSIVE
mode negotiations.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> AG in state OAK_AG_NOSTATE.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : 47 bb e7 c9 93 f1 fc 13 b4 e6 d0 db 56 5c 68 e5
## 2009-02-20 13:51:13 : 01 02 01 01 02 01 01 03 10 31 30 2e 38 2e 35 20
## 2009-02-20 13:51:13 : 28 42 75 69 6c 64 20 32 29 00 00 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> receive unknown vendor ID payload
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : da 8e 93 78 80 01 00 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> receive unknown vendor ID payload
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : 09 00 26 89 df d6 b7 12
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv XAUTH v6.0 vid
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv NAT-Traversal VID payload (draft-
ietf-ipsec-nat-t-ike-00).
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [VID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Vendor ID:
## 2009-02-20 13:51:13 : 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
## 2009-02-20 13:51:13 : IKE<10.10.10.134> rcv NAT-Traversal VID payload (draft-
ietf-ipsec-nat-t-ike-02).
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [SA]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Proposal received: xauthflag 1
## 2009-02-20 13:51:13 : IKE<10.10.10.134> auth(1)<PRESHRD>, encr(7)<AES>, hash(
2)<SHA>, group(2), keylen(128)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> xauth attribute: initiator
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1 proposal [0] selected.
## 2009-02-20 13:51:13 : IKE<0.0.0.0 > dh group 2
## 2009-02-20 13:51:13 : IKE<10.10.10.134> DH_BG_consume OK. p1 resp
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [KE]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> processing ISA_KE in phase 1.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [NONCE]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> processing NONCE in phase 1.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Process [ID]:
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID received: type=ID_USER_FQDN, USER
FQDN = vpn@customer.com, port=500, protocol=17
## 2009-02-20 13:51:13 : IKE<10.10.10.134> process_id need to update peer entry,
cur <VPN CLIENTS>.
## 2009-02-20 13:51:13 : locate peer entry for (3/vpn@customer.com), by identi
ty.
## 2009-02-20 13:51:13 : Found identity<vpn@customer.com> in group <2> user id
<6>.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Dynamic peer IP addr, search peer by
identity.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> peer gateway entry has no peer id con
figured
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID processed. return 0. sa->p1_state
= 0.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Phase 1 AG Responder constructing 2nd
message.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct ISAKMP header.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Msg header built (next payload #1)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [SA] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> auth(1)<PRESHRD>, encr(7)<AES>, hash(
2)<SHA>, group(2), keylen(128)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> xauth attribute: disabled
## 2009-02-20 13:51:13 : IKE<10.10.10.134> lifetime/lifesize (0/0)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct NetScreen [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct custom [VID]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [KE] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NONCE]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> gen_skeyid()
## 2009-02-20 13:51:13 : IKE<10.10.10.134> gen_skeyid: returning 0
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [ID] for ISAKMP
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [HASH]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> ID, len=8, type=1, pro=17, port=500,
## 2009-02-20 13:51:13 : IKE<10.10.10.134> addr=10.10.10.4
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct NAT-T [VID]: draft 2
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Responder psk ag mode: natt vid const
ructed.
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder (psk) constructing remote N
AT-D
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> responder (psk) constructing local NA
T-D
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Construct [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134 > Xmit : [SA] [VID] [VID] [VID] [VID
] [KE] [NONCE] [ID] [HASH]
## 2009-02-20 13:51:13 : [VID] [NATD] [NATD]
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:13 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:13 : IKE<10.10.10.134> IKE msg done: PKI state<0> IKE state<
5/91180f>
## 2009-02-20 13:51:14 : IKE<10.10.10.134> ike packet, len 108, action 0
## 2009-02-20 13:51:14 : IKE<10.10.10.134> Catcher: received 80 bytes from socke
t.
## 2009-02-20 13:51:14 : IKE<10.10.10.134> ****** Recv packet if <ethernet0/0> o
f vsys <Root> ******
## 2009-02-20 13:51:14 : IKE<10.10.10.134> Catcher: get 80 bytes. src port 500
## 2009-02-20 13:51:14 : IKE<0.0.0.0 > ISAKMP msg: len 80, nxp 8[HASH],
exch 5[INFO], flag 00
## 2009-02-20 13:51:14 : IKE<10.10.10.134 > Recv : [HASH] [NOTIF]
## 2009-02-20 13:51:14 : IKE<10.10.10.134> receive pkt with mseeage id before ph
ase 1 auth is done. Ingore the pkt
## 2009-02-20 13:51:18 : IKE<10.10.10.134> re-trans timer expired, msg retry (0)
(91180f/5)
## 2009-02-20 13:51:18 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:18 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:19 : IKE<0.0.0.0 > dh group 2
## 2009-02-20 13:51:22 : IKE<10.10.10.134> re-trans timer expired, msg retry (1)
(91180f/5)
## 2009-02-20 13:51:22 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:22 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:26 : IKE<10.10.10.134> re-trans timer expired, msg retry (2)
(91180f/5)
## 2009-02-20 13:51:26 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:26 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:30 : IKE<10.10.10.134> re-trans timer expired, msg retry (3)
(91180f/5)
## 2009-02-20 13:51:30 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:30 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
## 2009-02-20 13:51:34 : IKE<10.10.10.134> re-trans timer expired, msg retry (4)
(91180f/5)
## 2009-02-20 13:51:34 : IKE<10.10.10.134> Responder sending IPv4 IP 10.10.10.13
4/port 500
## 2009-02-20 13:51:34 : IKE<10.10.10.134> Send Phase 1 packet (len=424)
Message Edited by Danipaan on 02-20-2009 04:59 AM