A Windows Vista or Windows Server 2008-based computer cannot negotiate the security mode with the partner if you use a subnet address as a source address or as a destination filter address when you configure IPsec policy to use tunnel mode
Consider the following scenario:
- In a network environment, you configure the Internet Protocol security (IPsec) policy to use the tunnel mode.
- In the IP Filter Properties dialog box of the IPsec policy, you use a subnet address for the Source Address or for the Destination Address.
- You try to establish the IPsec tunnel-mode connection to a partner computer from a Windows Vista-based computer or from a Windows Server 2008-based computer.
In this scenario, the computer cannot negotiate the security mode with the partner computer. Therefore, you cannot use IPsec to secure the connection.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB946887.