Mac OS X Snow Leopard adds support for Cisco IPSec VPN connections -- that is, plain IPSec with XAuth authentication and mode_cfg.
That makes it two layers of authentication: first, Machine Authentication with a password (Shared Secret) or an X509 certificate. Then a traditional username-password pair for XAuth, both of which you can enter and save in the Account Name and Password fields respectively when you set up the connection. Trouble is, even though you entered your password and it is apparently saved in the keychain properly, Mac OS X keeps nagging you to manually enter the password every time you connect. Turns out this is a just bug with a simple fix.
Open the Keychain Access Application, select the System keychain and find your saved XAuth password entry in the list. Its Kind field will say IPSec XAuth Password. Open it, then on the Access Control tab click the Plus button to add another application. The file we need to select, /usr/libexec/configd, resides in a hidden folder. To navigate there, press Command-Shift-G, enter /usr/libexec, then pick configd in the dialog. Save your changes and that's it -- your saved password should now work.
[robg adds: I can confirm that this fix works as described.]
Mac OS X Hints