When using IPSEC, I prefer to use tunnel interfaces so you can route traffic normally across the tunnel and use BGP/OSPF to transfer routes between sites. I managed to get this working from Linux to Cisco as follows, with redundant DSL connections (yuo can adjust to suit your environment):
On the Cisco router:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key Pre-Shared-Key address Linux-IP-Address no-xauth
I have been looking after QoS settings on a site using a Cisco router for a number of years, and had issues with it not doing what I expected. The design was to use a hierarchy to guarantee bandwidth to certain classes of traffic, but allow all traffic to use the full bandwidth if other classes did not need theirs. I discovered that you need to apply the service-policy to the ATM PVC (for a DSL WIC) in order for it to work as expected, and NOT to the dialer interface. The config I used is below:
To guarantee that an account session ID is unique across router reboots, we added the following config to our LNS routers:
routert#conf t
router(config)#radius-server unique-ident 1
router(config)#end
router#wr m
If we ever replace a router, we need to increment the unique-ident number to ensure that the new router does not re-use the same session-id's as the old one. This is because we use nas:sessionid as the unique key to identify a session.