When you setup from a Windows 7 (or Vista) client a L2TP/IPsec connection to a Windows 2008 R2 RRAS server and use Machine Certificate Authentication then the IPsec main mode messages 5 & 6 containing the certificates will very likely be fragmented by the TCP/IP stack, simply because the message are just too big for one IP packet. On the other hand the client and server report in main mode message 1 & 2 the capability "VendorID: FRAGMENTATION". The goal of that capability is to fragment the message at the IKE application level to avoid fragmentation at the IP level. So far so good. We've seen that some older sharing/NAT device doesn't like very much IP fragments with the result that the IPsec main mode negotiation fails at the authentication phase. Now to avoid such problems you can enforce at the RRAS server fragmentation at the IKE application level by enabling the setting Enable fragmentation checking on the public facing interface. Apparently the RRAS server will then ignore any IP fragments and never send IP fragments itself. The result is that the client will first try to send the main mode message 5 by fragmenting it at the IP level and when no timely response is received then switchover to fragmentation at the IKE application level. The downsize of this approach is that we have to wait a number of seconds (i've seen 3 - 5 seconds) before that will happen. The obvious question is therefore: how can we enforce on the Windows 7 and Vista client the use of fragmentation at the IKE application level too? Best Regards, Stefaan

Hi Leo, hmm... the question is: how can we enforce on the Windows 7 and Vista client the use of fragmentation at the IKE application level too? I agree it has a relationship with the RRAS server, but there we can apply at least the setting "Enable fragmentation checking" on the public facing interface. Best Regards, Stefaan

Hi Stefaan, Based on my researched, Windows 7 has not the function to enforce the use of fragmentation at the IKE application. I also checked on the server, the result is the same of yours, there is only an option of “enable fragmentation checking”. Thank you for your understanding. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, I notice our senior Engineer has reply on http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/022133fe-9e04-42ea-a1b9-c3ad09936203/ Please kindly focus that thread and hope that helps. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.