I have successfully setup a L2TP VPN server with MS TMG 2010. The clients that are part of the domain can successfully establish the connection.
I have my own CA that I use to generate the certificates.
When I generate the exact same certificate with the same CA for a client that is not part of any domain then I get the 810 error.
Specifically, the client I am testing is on Windows 7. It belongs to a WORKGROUP (Windows default) and it is freshly installed with nothing else on it. It is called "burgvpc-PC".
I have test with another non-domain client - same problem.
I made sure that the CA certificate is in the clients stores (in Trusted Root and Intermediate Certification Authorities - for both use and computer stores).
I also have the client certificate in the computer store.
In the VPN trace logs on the client, the only relevant information I get is "RASDiag: Mapping to new errorcode: 810 (ERROR_VPN_BAD_CERT) instead of 786 (ERROR_OKLEY_NO_CERT)"
There is not information why Windows considers it a bad certificate.
I have also tried the subject name for the certificate to be both "burgvpc-PC" and "burgvpc-PC.WORKGROUP" - both give the same error.
Does anyone have any idea how the certificate should be different when the client is not part of the domain?