ipsec VPN между cisco и linux через crypto profile (без crypto-map)

Стянуто отсюда:
http://community.livejournal.com/cisco_ru/239812.html

На кошке

crypto isakmp key 185d088b5c71daaab829c012f1ee1076 address 80.249.178.146

crypto ipsec transform-set 3DES.MD5.HMAC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set 3DES.MD5.HMAC
!
interface Tunnel3
description Tunnel to ep-gw
ip address 192.168.100.13 255.255.255.252
ip mtu 1400
shutdown
tunnel source FastEthernet0/0
tunnel destination 80.249.178.146
tunnel protection ipsec profile VPN
!
ip route 192.168.11.0 255.255.255.0 192.168.100.14


На линухе (debian)

/etc/network/interfaces

auto tun0
iface tun0 inet static
address 192.168.100.14
netmask 255.255.255.252
broadcast 192.168.100.15
up ifconfig tun0 multicast
pre-up ip tunnel add tun0 mode gre local 80.249.178.146 remote 80.249.xxx.194 ttl 255
pointopoint 192.168.100.1
post-up ip r a 192.168.1.0/24 via 192.168.100.1
pre-down ip r d 192.168.1.0/24 via 192.168.100.1
post-down ip link set tun0 down
post-down ip tunnel del tun0

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 80.249.178.146 80.249.xxx.194 gre -P out ipsec
esp/transport/80.249.178.146-80.249.xxx.194/require;

spdadd 80.249.xxx.194 80.249.178.146 gre -P in ipsec
esp/transport/80.249.xxx.194-80.249.178.146/require;

/etc/racoon/racoon.conf

remote 80.249.xxx.194 {
my_identifier address 80.249.178.146;
exchange_mode main,aggressive;
doi ipsec_doi;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 3600 sec;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;

}