I do not like IPSec. I do not understand IPSec. Sadly, cheap VPN routers purchased by external partners to whom we must give some access pretty much speak nothing else. [don’t get me started on packaged SSL VPN servers…]
Fortunately, our firewall runs a recent release of OpenBSD. Even more fortunately, there’s an excellent site on configuring OpenBSD as an IPSec server, including sample PF firewall rules.
I used a recent build of Parallels to set up a private, non-routed network with three virtual servers on it, put one of them on the real network as well, set it up as a firewall and router, and tinkered with a pair of Netgear VPN routers until they both could connect to one of the private servers without seeing the other.
Then I worked on the PF ruleset until I knew I could cut off either Netgear without affecting anything else, and transferred my configuration to our real-world firewall. Works like a charm.
It appears that the best way to use IPSec is to completely ignore all of its management features, set up a generic tunnel config, and handle all the access controls in your firewall. One less convoluted config-file syntax to learn, one less place to screw up and allow the wrong people to get at the wrong stuff.