L2TP with IPSEC is for sure easy to setup, but even more convenient would be to use Active Directory authentication, such as one for SSL VPN and admin role setup. Windows internal VPN client offers domain credentials as on option for authentication, that would ease the setup. Of course there would be need for group membership checking or explicitly define, which users are allowed to login. Also, DH should allow use of 2048-bit keys.