Thats a shame as I use a mac. Ill look into it for the windows clients though. Thanks!
Point me to a HOWTO on configuring an IPSEC server using regular distro packages on Debian/Ubuntu/CentOS that will work, out of the box, with no custom software, for “roadwarrior” clients on all the above, and I will happily buy you beer.
There are a hundred HOWTOs on the internet, and I’m pretty sure I’ve tried all of them - none work on all clients out of the box.
Kerberos is used by the PPTP server to authenticate the user, yes, but not for the over the line handshake from the client to server, which is typically some form of EAP such as MSCHAPv2. I’d really suggest moving to L2TP. It’s far more secure, and it doesn’t have the performance problems of TCP over TCP.
Cool. Here’s my road-warrior OpenVPN configuration:
It references an external authentication script that hooks into LDAP. That’s available here:
Windows client: OpenVPN GUI
Mac client: Tunnelblick
Good luck with your project!
Not sure how well it works, but a quick google found me this: sstp-client download | SourceForge.net
Sadly L2TP is blocked on my remote network by my ISP. I have a feeling I’m going to need to think of another way to skin this cat.
Thank you so much for all the help! 
Sorry, no - the server would be in a data center on a static IP - the clients could be anywhere. About half the IPSEC documentation I’ve read seems to assume a static IP at both ends - in reality it needs to work with clients coming from a new IP every time - staff might be at a client site, or in a hotel, or on a cellular connection, or at home, etc.
The generic PPTP server that comes with Debian/Ubuntu works on all clients that I’ve tried, out of the box (crappy firewalls notwithstanding). No extra software required - you fill in the server name, username and password on the end user’s stock VPN client, and it Just Works.
If IPSEC was even half as easy, PPTP wouldn’t exist. Until then, it will hang around 
consider openvpn. It’ll run on any UDP port - if you’re struggling to find one, try using the ones dhcp or dns run off. If you’re still struggling, configure a server to have no firewall and then run a UDP port scan on it - ports coming up “closed” instead of “filtered” are viable
Ouch. If you were entirely Windows 7 I’d suggest trying SSTP as it runs over TCP 443. Still has the TCP over TCP problems, though.
Some other form of SSL VPN might be your best bet in this case though.