Regardless of whether you chose to use IPSec or OpenVPN, the following things must be done on the wired endpoint before anything else, in the order given:

If you configured your system to use IPSec, perform the following actions:

Now attempt to ping Google; ping should die with the following message:

connect: Resource temporarily unavailable

Wait a second or two and ping Google again; this time, you should see a steady flow of ICMP packets. This behavior in the 2.6 kernel is known; if an SPD entry exists for a particular connection but an SA doesn't, the connect syscall returns with an error rather than waiting until an SA has been set up. Patches to fix this behavior have been discussed; some kernel developers think it's too much work to do properly while others think it can be done.

You can verify that IPSec is in fact running by using tcpdump, Ethereal, or another packet sniffer. You should only be able to see your ESP packets outbound, but inbound the sniffer should show an ESP packet and then the decrypted IP packet.

I have also made available a tarball containing premade scripts for handling IPSec startup, including init scripts for Fedora Core and Gentoo.

If you configured your system to use OpenVPN, perform the following actions:

Now attempt to ping Google; it should work the first time around.

As with IPSec, you can verify that OpenVPN is running by using a packet sniffer; this time, you will see encrypted packets going to and from port 1194 (or whatever port you chose to run OpenVPN over) on the wired endpoint. You will not be able to see the decrypted packets unless you have the packet sniffer listen on tun0 (or whichever tunX interface you're using).