OK, long story short I want a dedicated VPN appliance that I can pop into my network.
it must support IPsec/L2TP, such that the standard windows vista VPN client works with it.
it will not be connected directly to the WAN, I want to pop it into an existing network that already has a good router (which has IPsec passthrough) and firewall, so none of that is wanted, especially if it's going to cause problems.
I do not need a lot of connections, 12 would probably be the most that could be theoretically possible in use at a given time, I can't imagine there would be more than 4 actually ever on at the same time though. but that number might go up in the future, so lets say 16 at most to be future proof.
Seeing that nobody has recommended an appliance, can I suggest you investigate a hosted VPN service www.accessmylan.com. It supports IPSec clients (with client side certificates) on XP and is NAT friendly.
You can pick your favorite dedicated VPN concentrator. But you need to modify things as below:
There are 2 traffic types for IPSec tunnels: IKE (control traffic) and ESP (actual encrypted payload). At the firewall, insert rules to forward UDP port 500 for IKE to your concentrator. For the ESP, ESP protocol does NOT use ports but has protocol number assigned. Insert rules to forward once your FW see these packets. There is a bit problem with NAT'ed networks. NAT use ports but ESP does not. In this case, you have to configure your concentrator to support NAT-T (NAT traversal) mode. Basically, ESP is being wrapped by another layer of UDP using UDP port 4500. To support NAT-T, forward UDP 4500 to your concentrator. This is the standard. Some vendors might modify a bit and use different ports. For i.e, Cisco uses TCP or UDP 10000 wrapping of ESP packets.
In case of NAT firewall, make sure you the FW does NOT use arbitrary port during NAT translation; it must use same ports, 500 and 4500 on both sides
If your firewall has more than 2 interfaces being used, make sure you configure the concentrator so that both IKE and ESP traffic to go back out of the same interface they came in
Internal Nodes Issue:
Say internal address scheme is 192.168.4.0/24 and VPN clients are given 10.10.10.0/24. Two options here: internal nodes have static routes configured so that they know where to send 10.10.10.0 traffic to, OR configure your FW so that it forwards that 10.10.10.0 traffic to concentrator on behalf of internal nodes.