A brief explanation of common errors for VPN follows.

---

Note: For the purposes of this document, Client ID, Username, and Phase 1 ID are interchangeable.

---

3382: Failed to find secure tunnel for entity based on Proxy ID
There is a misconfiguration in the entities in your security association. Verify that each entity and security gateway have the correct address and netmask.

3384: Payload incorrectly formed
When this message is logged, a mismatch in the shared secret and possibly the client id pair exist. If the VPN tunnel is client-to-site, check the Client IDs (User names) and shared secrets (passwords) to ensure that they match. Also check if there is a gateway phase 1 ID (also called "distinguished name"). If the VPN tunnel is site-to-site, check the Phase 1 IDs and Shared Secrets. These are all case sensitive. If the case is not consistent on both gateways, this error is logged.

3386: Proposal not chosen
This is probably a misconfiguration in the global_ike_policy. You typically have only one Global IKE policy, which specifies what you accept in IKE negotiation. Ensure that all of your connections conform to your global_ike_policy. This message can also indicate that one of the security gateways is configured to use aggressive mode and the other is configured for main mode.