Hello again,
I have went trough some troubleshooting and fine tuning of the configuration and now it's somewhat better.
Cisco side seems to work as expected. It is creating ike aggressive mode requests and sends them to the SRX.
But there are no logs on the SRX.
What is interesting is when I change:
gateway ike_gw-SPOKE {
ike-policy ike-ext_sites_SPOKE;
dynamic hostname SPOKE.domain.com;
local-identity hostname HUB.domain.com;
external-interface ge-0/0/0;
}to this:
gateway ike_gw-SPOKE {
ike-policy ike-ext_sites_SPOKE;
address x.x.x.x; ##real IP address resolved from FQDN
local-identity hostname HUB.domain.coml;
remote-identity hostname SPOKE.domain.com;
external-interface ge-0/0/0;
}Tunnel goes up and everything works fine.
Any ideas what could be the root cause?
----EDIT-----
And there is one more thing. I was previously not aware, that FQDN in aggressive mode cannot be longer than 20 characters (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21716&actp=search).
Well, in my scenario tunnel goes up even though the FQDN is 22-character long :-)
But I have tried with a shorter FQDN. At first the packet has been processed with "No proposal chosen" error, but after ipsec-key-management restart and CRYPTO engine restart on cisco side - packets are no longer seen on the SRX.