We have Microsoft's DirectAccess VPN set up on Server 2008 R2 with end-to-edge security, and we're having trouble with the manage-out tunnel.
The DirectAccess client has DC/DNS and intranet connectivity, it can ping/rdp/etc to intranet hosts. However connections originating from those same intranet hosts can only intermittently reach the client. At times it works fine, other times it doesn't.
When an inbound (intranet to client) connection is attempted there's an IPSec Main Mode failure logged: Event 4653 with a failure reason of "No Policy Configured".
I think that it may be related to the state of the intranet (corp) access tunnel, and an overlap in the configured subnets for those polices. I haven't figured out exactly what's different in the scenario where the connection works and where it does not.
Signs of a DirectAccess infrastructure tunnel problem are that you can ping or RDP to the IPv6 address of a domain controller on the corporate network, but you cannot resolve corporate DNS names even though the NRPT is valid.
After a few years of working with it, I've found the following 2 things to be the most common reasons for machine-specific infrastructure tunnel problems with DirectAccess.
1: Certificate problems. The first credential used for the infrastructure tunnel is a certificate. You'll get Policy Not Configured if the certificate is invalid. This could be an caused by an expired certificate, a subject name mismatch, incorrect certificate usage (Server auth/Client auth via the built-in Computer template), or your published revocation list for the root or issuing CA may be out of date.
2: Machine account problems. The second credential used for the infrastructure tunnel is the computer account. I've received "Policy Not Configured" on machines have left and rejoined the domain or when a machine name has been reused. When this happens I can't necessarily find any issues with schannel (nltest), or anywhere else in the event log, but the computer account refuses to authenticate for DA. This is also logged as an IPSec Main Mode failure event on the DirectAccess server.
I haven't identified any firewall consec rule issues that cause problems with the infrastructure tunnel (like an overlapping subnet).