Существует Cisco 878 и Juniper SRX3600. Есть задача создать между ними VPN тунель.
Cisco Trusted интерфейс 192.168.1.20
Cisco Untrusted интерфейс 10.0.0.1

Juniper SRX Trusted интерфейс 192.168.103.20
Juniper SRX Untrusted интерфейс 192.168.103.20

Помогите с конфигом !!!!
СПАСИБО

• VPN Tunnel между Cisco 878 и Juniper SRX,armanman, 20:42 , 07-Фев-11
  • VPN Tunnel между Cisco 878 и Juniper SRX,rijiy, 21:28 , 07-Фев-11
    • VPN Tunnel между Cisco 878 и Juniper SRX,armanman, 21:38 , 07-Фев-11
      • вот Джуниковский,rijiy, 21:48 , 07-Фев-11
      • Вот цисковсикй - не помню точно какая политика для ISAKMP,rijiy, 21:53 , 07-Фев-11
        • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 11:55 , 08-Фев-11
          • Вот цисковсикй - не помню точно какая политика для ISAKMP,rijiy, 11:57 , 08-Фев-11
            • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 12:17 , 08-Фев-11
              • Вот цисковсикй - не помню точно какая политика для ISAKMP,rijiy, 12:23 , 08-Фев-11
                • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 12:24 , 08-Фев-11
                  • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 12:28 , 08-Фев-11
                    • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 12:29 , 08-Фев-11
                      • Вот цисковсикй - не помню точно какая политика для ISAKMP,rijiy, 13:02 , 08-Фев-11
                        • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 14:03 , 08-Фев-11
                          • Вот цисковсикй - не помню точно какая политика для ISAKMP,armanman, 14:12 , 08-Фев-11
                            • а ключи точно одинаковые?,rijiy, 14:17 , 08-Фев-11
                              • а ключи точно одинаковые?,armanman, 15:08 , 08-Фев-11
                                • а ключи точно одинаковые?,armanman, 15:22 , 08-Фев-11
                                  • а ключи точно одинаковые?,armanman, 16:21 , 08-Фев-11
                                    • а ключи точно одинаковые?,armanman, 11:09 , 10-Фев-11
                                      • Между Cisco 2951 и SRX100h работает,Сталкер, 17:07 , 06-Июл-11

Сорри ошибка по интерфейсу

"VPN Tunnel между Cisco 878 и Juniper SRX"

Существует Cisco 878 и Juniper SRX3600. Есть задача создать между ними VPN тунель.
Cisco Trusted интерфейс 192.168.1.20
Cisco Untrusted интерфейс 10.0.0.1

Juniper SRX Trusted интерфейс 192.168.103.20
Juniper SRX Untrusted интерфейс 10.0.0.2

Помогите с конфигом !!!!
СПАСИБО

Сам недавно разбирался с этой темой

Делаешь либо с созданием gre интерфейса на джунике
http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450...

Либо используешь st0 интерфейс на джунике - я сделал этим способом
http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...

У меня все работает по второму примеру.

> Сам недавно разбирался с этой темой
> Делаешь либо с созданием gre интерфейса на джунике
> http://axeldittmann.spaces.live.com/blog/cns!DDC34FAAF045450...
> Либо используешь st0 интерфейс на джунике - я сделал этим способом
> http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...
> У меня все работает по второму примеру.

Я пробожал етим методом
http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...
что то не получаетсиа,
можно пример конфигов?

interfaces {
    ge-0/0/0 {
        description "-- LAN";
        unit 0 {
            description "-- LAN";
            family inet {
                address 192.168.54.1/26;
            }
        }
    }
    fe-0/0/2 {
        description "-- TopNet-Tun";
        unit 0 {
            description "-- TopNet-Tun";
            family inet {
                filter {
                    input Block-E;
                }
                address aa.bb.cc.dd/30;
            }
        }
    }

    }
    st0 {
        unit 0 {
            description "-- To LSR Peterstar";
            family inet {
                mtu 1500;
                address 172.16.0.206/30;
            }
        }
    }
}

security {
    ike {
        proposal IKE_AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy ph1-policy {
            mode main;
            proposals IKE_AES;
            pre-shared-key ascii-text "qwertyui"; ## SECRET-DATA
        }
        gateway asdfgh {
            ike-policy ph1-policy;
            address ee.ff.gg.hh;
            external-interface fe-0/0/2.0;
        }
        }
    }
    ipsec {
        proposal IPSEC_AES {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy Inet-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC_AES;
        }
        vpn asdfgh  {
            bind-interface st0.0;
            ike {
                gateway asdfgh ;
                ipsec-policy Inet-policy;
            }
                                        
            establish-tunnels immediately;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
                st0.1;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/1.0;
                fe-0/0/2.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
}

Current configuration : 59340 bytes
!

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 110
encr aes
authentication pre-share
!
crypto isakmp policy 210
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 1000
authentication pre-share
crypto isakmp key qwertyui address aa.ss.dd.ff
!
crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac
!
crypto ipsec profile 2juniper
set transform-set 2juniper
set pfs group2
!

interface Tunnel72
bandwidth 10000
ip address 172.16.0.205 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1280
no ip mroute-cache
ip ospf authentication
ip ospf authentication-key 7 qwerty
ip ospf cost 400
ip ospf mtu-ignore
delay 400
tunnel source GigabitEthernet0/0.2
tunnel destination zz.xx.cc.vv
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile 2juniper
!

interface GigabitEthernet0/0.2
description -- WAN
encapsulation dot1Q 40
ip address hh.jj.kk.ll 255.255.255.248
ip access-group Block-E in
  no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly
no ip mroute-cache
no cdp enable
!
interface GigabitEthernet0/1
description -- LAN
ip address 10.10.0.60 255.255.240.0
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1280
ip ospf authentication
ip ospf authentication-key 7 zxcvbbn
duplex auto
speed auto
!

Черт не поднимается:(

> Черт не поднимается:(

это рабочий конфиг

значит надо тебе смотреть зоны безопасности на джунипере ну и может блокирующий ACL на циске если есть.

дебаги на крайняк посмотри ;-)

Циска и Джуник чистые, я под тестинг сейчас поставил и учусь :)
вот дебаг от циски
SAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.1)
ISAKMP: Unlocking peer struct 0x27E8590C for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 10.0.0.1: 27E8590C
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.1)
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE
ISAKMP:(0):purging SA., sa=27E838D4, delme=27E838D4
ISAKMP:(0):purging node -401611315
ISAKMP:(0):purging node 701748318
IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 10.0.0.1, peer port 500
ISAKMP: New peer created peer = 0x27E8590C peer_handle = 0x80000028
ISAKMP: Locking peer struct 0x27E8590C, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE      
ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 30D3452C
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 10.0.0.1
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 10.0.0.1 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Couldn't find node: message_id -1040258146
ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.1
ISAKMP:(0):purging SA., sa=30D362AC, delme=30D362AC

sh cry isa sa det на циске
sh sec ike seс и sh sec ipsec sec на джунипере

надо понимать там ничего нету? раз isakmp не устанавливается?

я еще слышал что джуниковкий софт, с которым они идут глючный
у меня стоит
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Model: srx210h
JUNOS Software Release [10.2R3.10]    

на джунипере на зоне разрешены входящие подключения?

Да на джунике разрешены входящие включения

root@srxA-1> show security ipsec security-associations
  Total active tunnels: 0

root@srxA-1> show security ike security-associations

Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

0     10.0.0.1     10.0.0.2              ACTIVE                0  0            
       Engine-id:Conn-id =  ???

0     10.0.0.1     10.0.0.2              ACTIVE                0  0            
       Engine-id:Conn-id =  ???
(deleted)

0     10.0.0.1     10.0.0.2              ACTIVE                0  0            
       Engine-id:Conn-id =  ???
(deleted)

IPv6 Crypto ISAKMP SA

ну, брат, не знаю - вообще ничего не работает.
Выложи целиком конфиги гляну бегло

Ето Джуник

interfaces {
    ge-0/0/0 {
        description Internet;
        unit 0 {
            family inet {
                address 10.0.0.2/29;
            }
        }
    }
    ge-0/0/1 {
        description "DMZ INTERNET";
        unit 0 {
            family inet {
                address 192.168.103.26/24;
            }
        }
    }
    fxp0 {
        description "MANAGEMENT Interface";
        unit 0 {
            family inet {
                address 172.20.100.170/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.55.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            description "VPN Tunnel";
            family inet {
                mtu 1500;
                address 172.16.0.206/30;
            }
        }
    }
}
security {
    ike {
        proposal IKE_AES {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy ph1-policy {
            mode main;
            proposals IKE_AES;
            pre-shared-key ascii-text "$9$J2Zi.Pfz6CuTzlMX-2gTz3n/t"; ## SECRET-DATA
        }
        gateway mygateway {
            ike-policy ph1-policy;
            address 10.0.0.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal IPSEC_AES {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 86400;
        }
        policy Inet-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals IPSEC_AES;
        }
        vpn myvpn {
            bind-interface st0.0;
            ike {
                gateway mygateway;
                ipsec-policy Inet-policy;
            }
            establish-tunnels immediately;
        }
    }
    zones {
        functional-zone management {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                st0.0;
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
}
applications {
    application windows_remote {
        protocol tcp;
        destination-port 3389;
    }
}

А вот и Циска

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 110
encr aes
authentication pre-share
!
crypto isakmp policy 210
encr aes
authentication pre-share
!
crypto isakmp policy 1000
authentication pre-share
crypto isakmp key password address 10.0.0.2
!
!        
crypto ipsec transform-set 2juniper esp-aes esp-sha-hmac
!
crypto ipsec profile 2juniper
set transform-set 2juniper
set pfs group2
!
!
!
!
!
!
interface Tunnel72
bandwidth 10000
ip address 172.16.0.205 255.255.255.252
ip flow ingress
ip flow egress
ip tcp adjust-mss 1280
ip ospf authentication
ip ospf cost 400
ip ospf mtu-ignore
delay 400
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.0.2
tunnel path-mtu-discovery
tunnel protection ipsec profile 2juniper
!
!
interface GigabitEthernet0/0
description Untrusted
ip address 10.0.0.1 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1/1
ip address 192.168.1.1 255.255.255.0
no ip route-cache
duplex full
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Tunnel72
!
access-list 101 permit ip any any

может еще всеже с софтом что нетак?

> может еще всеже с софтом что нетак?

да нет все так кажется, там последние прошивки ....

да ключи одинаковые

Вот снова дебаг

ISAKMP (0): received packet from 10.0.0.2 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
ISAKMP: New peer created peer = 0x30D2B87C peer_handle = 0x80000160
ISAKMP: Locking peer struct 0x30D2B87C, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 311DF510
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

INternet#ping
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0):found peer pre-shared key matching 10.0.0.2
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 100 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Proposed key length does not match policy
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 110 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 110 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 210 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 210 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Diffie-Hellman group offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 0 against priority 1000 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1000 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 128
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):no offers accepted!
ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.0.0.1 remote 10.0.0.2)
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
ISAKMP:(0): Failed to construct AG informational message.
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (R) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):peer does not do paranoid keepalives.

ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 201 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 192 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 174 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP (0): FSM action returned error: 2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP: Unlocking peer struct 0x30D2B87C for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: 30D2B87C
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 10.0.0.2)
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

ISAKMP: set new node 0 to QM_IDLE      
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.1, remote 10.0.0.2)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
ISAKMP:(0): sending packet to 10.0.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.

Новое что происходит
на циске

INternet#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.0.2        10.0.0.1        QM_IDLE           1014 ACTIVE

И тунель поднялся Tunnel72

На циске время от времени выдается сообщение

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2061 local=10.0.0.1 remote=10.0.0.2 spi=64EC2E41 seqno=000000F2

Какие нибудь идеи?

Сделал точно по ссылке указанной выше (http://www.marfitsin.ru/index.php/articles/11-vpn/12-ciscoju...) - всё работает.