So... openvpn is so much easier than ipsec. Their quick start instructions just worked. I even got ipv4 + ipv6 routing working pretty quickly.

Though then I decided to try to switch to x509 authentication, and... they're not kidding when they say "this is going to take a long time" when creating a dhparam file.