Admin Instructions for VPN provided by http://www.netdigix.com :

for a range of ip addresses to be assigned you must edit the /etc/l2tp/l2tpd.conf

ip range = 172.16.32.248-172.16.32.249

for the usernames and passwords you will edit the /etc/ppp/chap-secrets

the syntax is
username/server/password/ipaddress

username: is the username of the user
server: this should just be set to * always
password: this is the password for the user
ipaddress: this can be set to * for DHCP or can be specified so the client will take this ip address
each time he/she loggs in.


adding the new cert to the ipsec config
/etc/ipsec.conf

first cut and paste the basic windows 2000/xp vpn config

conn roadwarrior-net
        leftsubnet=172.16.32.0/24
        also=roadwarrior

conn roadwarrior
        left=xxx.xxx.xxx.xxx
        leftnexthop=%defaultroute
        authby=rsasig
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        pfs=no
        rightid="C=CA, ST=British Columbia, L=Vancouver, O=netdigix.com, OU=network operations, CN=nathan, E=support@netdigix.com"
        leftcert=vanvpn1.netdigix.pem
        keyingtries=3
        esp=3des-md5-96
        auto=add

change the roadwarrior-net to a new unique name
then change also=roadwarrior and conn roadwarrior to a corresponding unique name
change the rightid to the id of the cert you just made if you do not know it then you can run this command to get it

openssl x509 -in cert.pem -noout -subject

cut and paste the output to the "rightid" as shown above change the / with ,
OUTPUT:
 /C=CA/ST=British Columbia/L=Kelowna/O=netdigix.com/OU=VPN/CN=netdigix.com/Email=support@netdigix.com
WHAT YOU WANT:
C=CA, ST=British Columbia, L=Kelowna, O=netdigix.com, OU=VPN, CN=netdigix.com, E=support@netdigix.com

to restart ipsec

/etc/init.d/ipsec restart

ipsec commands:

ipsec verify
ipsec auto --status

Firewall rules:
for net-to-net you must allow input and forwarding for source and destination
for both outside ip addresses on both firewalls.

iptables -I FORWARD -s <outside_ip_of_other_side> -j ACCEPT
iptables -I FORWARD -d <outside_ip_of_other_side> -j ACCEPT

then allow forwarding for the networks behind these firewalls

iptables -I FORWARD -s <netblock_of_other_side> -j ACCEPT
iptables -I FORWARD -d <netblock_of_other_side> -j ACCEPT

for the actual firewall rules you must let in these ports: 
500 tcp/udp

iptables -I INPUT -p tcp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT

and these Protocols
50
51

iptables -I INPUT -p 50 -j ACCEPT
iptables -I INPUT -p 51 -j ACCEPT