Quite a few weeks ago now I came across this issue on a customer site and managed to resolve narrowing it down to group policy and finding the troublesome policy to be the setting for "Access this computer from the network". On Monday of this week Microsoft released a KB article detailing this problem (http://support.microsoft.com/kb/2663354) but thought it was worth blogging as i did come across it a few weeks ago (promise!)
Basically when you modify this particular group policy setting it changes the local policy on the machine. Manage out capabilities in Direct Access require the internal source user and computer account to authenticate IPsec connections to the DA client. This particular policy setting controls what accounts have access to system services on the DA computer. If the source computer account does not have this access then IPsec authentication will fail. The default setting for this is the only supported one currently for DA, by default this includes – Administrators, Backup Operators, Everyone, Users
Hope this helps others resolve a peculiar difficult to determine issue!