Answer straight from the book....
If I can quote from a book called Linux Firewalls by Robert L. Ziegler, 2nd Ed, p.522, Appendix C VPN
"VPN and Firewalls
A VPN can placed in front of a firewall, placed behind a firewall, or be part of a firewall implementation. Placing the VPN in front of a firewall is not very common. It is more common to use a fiewall/VPN combo or to put the VPN behine the firewall iteself.
Combining a VPN system and a firewall is one of the more flexible solutions. It also requires less hardware and this gives a single point of failure. However, I want to stress that the best solution is to have a VPN behind the firewall or as part of a DMZ configuration..."
I would quote more but perhaps you ought to buy the book ISBN. 0-7357-1099-6.
Anyway, I too am wrestling with how to implement firewalls and VPNs. I would like to steer away from a Micro$oft solution. If we are to have the VPN or a separate machine from the firewall (iteself a separate machine) then that means two Linux boxes on either side on a connection that straddles the Internet, 4 in all! Seems rather a lot. I am currently considering buying a Netgear/Linksys box of tricks that has the State Package Inspection firewall (sames as iptables) as well as inbuilt firewall IPSEC etc. I can't help feeling that the dedicated machine solution is perhaps best here. But, I worry about it not working. I mean if I build a cheapo Linux box and it doesn't work (as a firewall/VPN) then I can usually get it to do something else (i.e. the advantage of a general purpose box) and convince myself that I haven't wasted money. If these said Netgear/Linksys routers fail to deliver then they become expensive white elephants unusable for anything else.
I sincerely hope you get things sorted and perhaps you can post to this website with your experience please.