So the good news:
the 2.1 box is up and running, doing it's basic work already, which is to route a public class-C net over an IPSec tunnel to a collocation provider who routes my net (because the local ISP isn't willing to do so).
Doesn't do much firewall stuff yet, because I need to bring things to where I want them to be step by step.
In any case, throughput is now about twice as fast as with the hacked-together solution I had with my now resting ZyWall unit. That's the good part.
Now for the not-so-good:
1) For an IPSec tunnel where one endpoint is DHCP, and authentication is via PSK, it seems using a FQDN as indent string doesn't work. Since there is no pop-up for 'DNS name' (like on the Zywall) or "FQDN" (like on other boxes), I tried with "Distinguished Name", but that didn't work. Only after on both sides of the tunnel I switched to IP Address and of course changed the string to some IP address, did I get the tunnel up.
2) in phase 2, I can't select a NULL encryption method. I know this is likely not a common requirement, but in my case encryption of any sort is just wasted CPU cycles, since all that traffic goes out to the public internet anyway.
3) in the ZyWall and most other boxes I know of, one can set what kind of connection an IPSec tunnel is: manua, on-demand, nailed-up. I can't find anything like this in the settings. Is an IPSec tunnel always up? Is it automatically established at system boot time, or on demand with traffic? Does it stay up, or time out after a certain amount of inactivity? Couldn't find any setting that seems to imply anything like it would influence such behavior. Am I blind, or is this missing? If it's missing, what is the implied behavior?
And now the bad:
After staying up until the wee-hours to get this all working, I went to bed with an active tunnel, and a working connection to the public internet (all traffic to the outside work has to go through that tunnel, except the IPSec traffic that creates that tunnel, of course). When I got up, the tunnel was showing as active, but I couldn't connect to anywhere, i.e. the packets weren't flowing through the tunnel. No idea where they were going, but obviously nowhere.
So I was looking for a place where one can disconnect/reconnect a tunnel, which again most vpn boxes have a button for that e.g. next to the list of defined tunnels, or something like that. Couldn't find anything.
So I restarted racoon from the Dashboard. Still no connectivity. So then I stopped the racoon service. To my surprise, I noticed that even with racoon not running, the tunnel stayed up.
In the end, I had to go to the IPSec page (VPN:IPSec) uncheck the "Enable IPSec" box, hit save, wait a few moments, check that box again, and hit save again. That actually brought the tunnel down, then back up, and I had connectivity again.
So besides being really complicated (and affecting other tunnels, too, if I had any others active), the question is what sort of state got the tunnel itself into, where it showed as active and up, but wouldn't pass any traffic until being terminated and reestablished.
With all this verbose background information, I guess what it boils down to is this:
a) I miss a way to see the "health" of an IPSec tunnel, because from what was visible on the Dashboard, everything should have been fine and dandy but it wasn't.
b) I miss a way to quickly bring down or up individual tunnels
c) I miss a way to specify a particular tunnel's behavior (manual connection, on-demand, permanent/nailed-up)
d) a NULL encryption would be useful on occasion
e) using FQDN as identification strings would be nicer than using IP addresses, but it doesn't seem to work at this point in time.
Not sure how much of this is 2.1 specific, but since I'm working with 2.1 at this point, I figure I post it here.