5. August 2008 16:52
Using L2TP/IPsec for a VPN site-to-site connection is recommended when both VPN gateways are ISA 2004/2006 Firewalls. This is specified in clear in many docs on Microsoft's web site.
IPsec Tunnel Mode site-to-site VPN connections are used when interoperability with a VPN gateway from another vendor is required. ISA Server 2006 has passed the VPNC Basic Interoperability Test. If you scroll this document, you will find against which VPN gateways ISA Server 2006 was tested.
If you need to create an IPsec Tunnel Mode site-to-site VPN connection with a VPN gateway from another vendor, you may ran into a couple of unsupported settings or scenarios.
Let's point out some of them.
A easy to spot one will be the lack of support for Diffie-Hellman MODP Group 5 (1536-bit). Popular VPN gateways often use this group. ISA Server 2006 can use instead the stronger Diffie-Hellman MODP Group 14.