Accessing specific VLAN after VPN based on user

Hello 

I have an SRX 5308. I have 3 VLANs defined.

Default = 192.168.3.1

VLAN10 = 10.50.10.1

VLAN20 = 10.50.20.1

I need to define IPSec VPN, such that when user1 logs in, he gets the Default VLAN.

When user2 logs in, he gets VLAN10 and user3 gets VLAN20.

I was able to create an IKE Policy and Mode Config to get into Default VLAN. When I login as user1, I can get access to all Default VLAN resources - so this works as desired.

So I created a similar setup created a new Mode Config - and here I set different IP range in mode config - I even tried copying exact same DNS and IP info (not the range as it would not allow 2 mode config with same IP range)

Here are the screen shots. First 2 are the IKE policy and Mode Config that work.

Second two are the ones that dont work.

FYI - I am using Shrew VPN client

My VPN log seems to show this with the policy that does not work.

I have created identical profiles (except the FQDN and shared key), I am at a loss....  

Please advise...

Wed Nov 23 08:53:53 2016 (GMT +0000): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet.
Wed Nov 23 08:53:43 2016 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 36460 and total length 40.

IN THE BELOW MODE CONFIG, I HAVE TRIED TO CHANGE THE DNS and LOCL PRIMARY to various values (VLAN ip, router ip etc), but none seems to work