OK...I set up a CA and issued certs to the ISA computer and the VPN client computer. Disabled pre-shared key.
I can log on using "Log on using dial-up connection" and everything seems to work properly...except the firewall bypass. I've triple-checked the SID in the SDDL. Domain Admins (of which my acct is a member) and a computer on the internal network that I'm using to test this are both in the group whose SID is specified in the policy. But packets Windows Firewall is supposed to drop when off the LAN are still dropped. Whether packets I send (ping, for example), or those sent by the computer.
One other thing I've wondered about this policy: Documentation I've seen seems to imply--without ever actually saying it outright--that if I enter the SID within the parentheses, I can use the remainder of the SDDL syntax as it's shown in the GP property dialog. Nothing changes outside the parens that surround the SID...right?