Installed fresh NW65SP3 + BM38SP3 + BM38SP1-IR1, Client 3.8.9.

Bordermanager is in DMZ zone behind NAT (netscreen), with all traffic
allowed in and out (for testing, with logging)

Configured BM server trough iManager with Public IP adres for VPN

I can connect with client trough NMAS authentication. Policies are
pushed to the Client: 10.x.x.x encrypt, any adres: no encryption, last
any adres deny packets.

When on client I try to ping (or tracert) to 10.x.x.x address, packets
are not going to tunnel, but to default router and arrive nowhere...

RIP filtering is enabled on server. Checked with a working BM3.7
server, and looks identical, except for server IP addresses

configured BM38 also to work in backward compatibility mode (load
vpncfg, ...). Same problem: Can log in, get protected networks, but can
not ping them.

In server manager, VPN status, activity, client, I get VPN tunnel is
down, check audit log.

Audit log follows (last message on top), only error I see is a
"proposal mismatch"

IKE ESP SA was created successfully with
IKE Sending proxy id :Type 4
IKE Sending proxy id: Type 1
IKE Received proxy Id : IPV4 SUBNET
IKE Received proxy id ID_IPV4_ADDR
IKE IPSEC SA NEGOTIATION - Peer lifetime is: 7200 My lifetime is: 7200

IKE Proposal Mismatch - Quick Mode : ESP - transform mismatch mine :
esp 3des his : esp des dst: src: cookies my-his
:34488A57674CBCDF - 3F54712E199B43C7

IKE Received proxy Id : IPV4 SUBNET
IKE Received proxy id ID_IPV4_ADDR
IKE IKE SA was created successfully with, encr = 3DES, SA
lifetime = 28800 sec

Any idea where problem might be?