I wrote within this article about the Vista L2TP/IPsec VPN client and the Verify the Name and Usage attributes of the server's certificate checkbox:
As said there, I've noticed that the Vista L2TP/IPsec VPN client checks the EKU field of the VPN server's certificate to see if contains Server authentication. If not, IKE authentication will fail.
If you want to find out more about the Verify the Name and Usage attributes of the server's certificate checkbox, see KB926182.
A couple of days ago, I found this article on the Routing and Remote Access Blog, titled Vista/LH: Security changes for remote access scenarios:
Within this article, there is a confirmation that indeed the Vista L2TP/IPsec VPN Client checks the EKU field of the VPN server's certificate for Server authentication(184.108.40.206.220.127.116.11.1).
So if you plan to use your ISA Server as a VPN server and on the Vista machines to enable within the L2TP/IPsec VPN Client the Verify the Name and Usage attributes of the server's certificate checkbox, make sure that ISA has installed and will use a proper certificate for IKE authentication(check the Oakley.log on ISA to see what certificate is selected in case you have multiple certificates installed in the Computer Certificate Store, I wrote about this issue here). Otherwise, your Vista machines will be unable to connect using an L2TP/IPsec connection to your VPN server.