When you setup from a Windows 7 (or Vista) client a L2TP/IPsec connection to a Windows 2008 R2 RRAS server and use Machine Certificate Authentication then the IPsec main mode messages 5 & 6 containing the certificates will very likely be fragmented by the TCP/IP stack, simply because the message are just too big for one IP packet. On the other hand the client and server report in main mode message 1 & 2 the capability "VendorID: FRAGMENTATION". The goal of that capability is to fragment the message at the IKE application level to avoid fragmentation at the IP level. So far so good. We've seen that some older sharing/NAT device doesn't like very much IP fragments with the result that the IPsec main mode negotiation fails at the authentication phase. Now to avoid such problems you can enforce at the RRAS server fragmentation at the IKE application level by enabling the setting Enable fragmentation checking on the public facing interface. Apparently the RRAS server will then ignore any IP fragments and never send IP fragments itself. The result is that the client will first try to send the main mode message 5 by fragmenting it at the IP level and when no timely response is received then switchover to fragmentation at the IKE application level. The downsize of this approach is that we have to wait a number of seconds (i've seen 3 - 5 seconds) before that will happen. The obvious question is therefore: how can we enforce at the Windows 7 and Vista client the use of fragmentation at the IKE application level too? Best Regards, Stefaan

Hi, I found you post a same thread on Windows Server Forum: http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/022133fe-9e04-42ea-a1b9-c3ad09936203/ And since this problem more related with Windows Server, I suggest to focus on that thread, other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.