Well, I figured it out, so I thought I'd post it.
- Open Network preferences.
- Click on the "+" in the bottom-left (you may need to unlock it with an admin password first).
- Select "VPN" from Interface, "Cisco IPSec" for VPN Type and put whatever you like in Service Name.
- Click "Create".
- Connect to a BT OpenZone SSID but don't log in.
- Click on "security" at the bottom right and go through to the "free download" of Cisco VPN software.
- Download the software.
- Now you can log in to OpenZone with your usual username and password.
- Mount the disk image you downloaded.
- Don't instal it, but look in Profiles/ in the disk image and open BTOpenzone-client.pcf using a text editor (Fraise, for example).
- Look for the text after "Host". It may be "18.104.22.168". Put this in as "Server Address" in the Network settings.
- Look for the text after "Username". It may be "vpn-client". Put this in as Account Name.
- Look for the long strong of alphanumerics after "enc_UserPassword". You can't put this in as a password because it's encrypted, but it uses some bizarrely pointless encryption, and can be easily decrypted using a web utility. Put this in as Password. Mine decrypted to something hilariously non-dictionary-attack-proof. I assume this is the same for everyone who downloads the utility, but perhaps not.
- Click on "Authentication Settings...".
- Look for the text after "enc_GroupPwd". Put this in as Shared Secret.
- Look for the text after "GroupName". It may be "wbb-client-vpn". Put this in as Group Name.
- Click OK.
- Now click "Apply", and "Connect", and you should be securely connected to OpenZone's VPN!
Apparent bug: it seems to ask for the password every few minutes and won't let you continue until you click "cancel" (unsecured) or enter it. Can't figure out why... Edit: Oh, turns out this is a bug, with a fix.
PS. I found a guide here which has similar instructions, but I only found it after I'd written this ;)