Sorry for my long-term absense. I really had difficulties to get your configuration together, but did not know what to ask to make it more clear.
From your description I reckon you have not used explicit Proxy IDs on SSG. If you don't, the Proxy ID is derived from the policy's address entries.
I've tested back and forth, and the config working for me was by allowing for separate security associations:
- In SSG:
- Create an copy of your Dial-In VPN P2 definition (AutoKey IKE), change the destination to the 193.x network. Make sure the Proxy ID flag is not checked. Give it an appropriate name, like "Dial-In VPN 193.x"
- Copy your dial-in policy (Untrust to Trust). Change to the 193.x as destination, and the VPN to your newly created P2 definition.
- In Shrew:
Change your "Policy" settings to include both networks, exactly as provided in your SSG policies.
That's it. The only point you might have difficulties now is that the ShrewSoft VIP is not known by the 193.x side and/or the right-hand Cisco. You might want to try to NAT that address in the corresponding SSG policy, that should help