VPN

How to forward multiple unrelated subnets through TMG without errors?

Given: two networks, two physical objects "DC", one VPN channel, on one end Cisco 28xx, on the second Microsoft TMG 2010. Required: configure network restriction so that ISE does not generate IKE errors.
There are two subnets, conditionally 10.1.0.0/16, 10.2.0.0/16, on one side of the VPN channel the 24th subnet is 0.x, on the second 1.x, they contain servers and other equipment. It is necessary to make sure that only 10.1.1.x is visible from the 10.1.0.x network, and only the 10.2.1.x subnet is visible from the 10.2.0.x network. Configured rules on the cisco in the cryptomap:
permit ip 10.2.1.0 0.0.0.255 10.2.0.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 host 8x.xx.xx. xx <-- Isa's public IP, otherwise it drops VPN
permit ip 10.2.1.0 0.0.0.255 host 8x.xx.xx.xx
On the Isa side, I configure the same VPN, but it can only specify rules for access to the network, and network is created one for each VPN, as a result, both subnets 10.2.1.0 and 10.1.1.0 are in the network object on Isa, and in the rules on ISE, you cannot divide an object into subnets (that is, you cannot create a rule that will be valid for one subnet, but will not be for the second). It seems impossible to create a second VPN either. As a result, when a device from 10.2.0 breaks into 10.1.1, Isa throws an IKE Quick mode negotiation failed error, since there is no access rule on the cisco, and it does not build an IKE channel (and does it right). I want to get rid of it, if possible without replacing Isa with cisco (Isa is in fact free, but cisca is not). Can something be done in such a situation?