I don’t know how Mac OS X’s L2TP/IPSec client works, but in any case Zeroshell uses Ms-CHAPv2 to authenticate the l2tp tunnel instead of using directly Kerberos. The usernames and the passwords for the Ms-CHAPv2 protocol are the same ones stored in the Kerberos KDC.
That is because the L2TP/IPSec client of Windows XP is not able to authenticate directly with Kerberos but uses RADIUS+MS-CHAPv2.
Regards
Fulvio