In case you are using IPSec, you could refer to this article:
816514 HOW TO: Configure IPSec Tunneling in Windows Server 2003
http://support.microsoft.com/?id=816514
Enable Auditing for Logon Events and Object Access
--------------------------------------------------
This logs events in the security log. This tells you if IKE
security association negotiation was tried and if it was successful or not.
1. Using the Group Policy MMC snap-in, expand "Local Computer Policy",
expand "Computer Configuration", expand "Windows Settings", expand
"Security Settings", expand "Local Policies", and then click "Audit
Policy".
2. Enable "Success" and "Failure" auditing for "Audit logon events" and
"Audit object access". Note If the Windows Server 2003 gateway is a
member of a domain and if you are using a domain policy for auditing,
the domain policy overwrites your local policy. In this case, modify
the domain policy.
If you are not using IPSec, you can do the above steps in the Default Domain
Policy. This will audit all logon events if done at that level.
An alternative idea would be link a new policy (with auditing enabled for
success and failure) to the OU which contains the VPN users, then only give
VPN users Read and Apply Group Policy Allow permissions on that GPO.
Unfortunately, I'm not aware offhand of a tool to notify you via email as an
event is logged. The closest tool to that I know of is EventCombMT, but I
believe this just displays an alert (local on that box it is run on).
824209 How to Use the EventcombMT Utility to Search Event Logs for Account
http://support.microsoft.com/?id=824209
If any one else is aware of a tool to do this please post.