After a long development period we recently shipped our IPsec guidance -- check it out -- http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

Let me know what you think.  This work grew out of a issue we were looking at in the banking industry for ATM security.