I use a generic access point with wep and all management services disabled attached via a crossover cable to an interface in my freebsd gateway/firewall. I've set up the freebsd box to be an ipsec security gateway which only allows encrypted packets and IKE over the interface the access point is attached to. It does allow (unencrypted) dhcp requests through, but I have set up my dhcp server on the freebsd box to only give out IPs to known mac addresses.
Authentication right now is done via a preshared key, and all traffic between the client and server is required to be encrypted. This keeps unauthenticated clients off my wireless segment (because I know everyone is trying to hax0r me!) and provides excellent security.
On the client side, I use a lucent pcmcia gold card in my laptop running windows XP. Although XP has ipsec support built in, it is pretty much useless for setting up tunnel mode which is what is needed to connect to a network "beyond" the ipsec endpoint (ie. the internet), so I use a 3rd party vpn client: SSH-Sentinel. Once encrypted traffic hits the vpn endpoint after travelling over the wireless connection, it is decrypted and directed to where it needs to go by the freebsd gateway.
And for the curious, more info on the server. FreeBSD 4.7 w/ ipsec and ipfilter compiled into kernel. Has 4 network interfaces (internet segment, 2 wired segments, and wireless segment). Runs ipf/ipnat and racoon -which is able to generate ipsec policies based on client requests - very useful for clients with dynamic IPs.
I never bothered to test throughput before all this, but with the current setup I am able to get about 4 Mbit/sec throughput on the wireless segment with 128 bit rijndael encryption from across the room.
I realize this is very much overkill for a home setup, but I thought it was a good learning experience setting it all up. In terms of cost, I already had all the hardware sitting around, so all that the project used was my time - about half a weekend.
~bex0rs