I think OpenVPN is a good inexpensive choice, (I say inexpensive because if it works for you I would certainly donate), although it doesn't support L2TP or IPSEC, it does support SSL, TLS, VPN's, NATs, Certificates and has a wide OS scope. Kudos to them.

I know that future Netgear products, in particular, will support SSL over VPN with certificates and I'm happy they are moving from a difficult (should I say problematic) propietary VPN setup to a easier (what's becoming) industry standard way of doing things (SSL over VPN).

I do like Vasco's Virtual Digipass (but haven't installed it) and I do have experience in setting up an RSA SecureID two factor (wireless key fob) system with Checkpoint VPN, but with a meager budget of $1000 for hardware and/or software, I don't know where you are going to source your solution. Two factor is not cheap, although I don't know what the open source community holds.

Anyways, my suggestion, is continue with the idea of running SSL certif over VPN with a single factor auth system, see if that's all you need.

I do have a question.
Instead of using the USB devices as part of a two factor VPN auth system, what about using a single factor VPN system (as discussed) and use the USB devices as authorization for hardware access?