A great deal depends on what kind of VPN services are required: office-to-office connectivity, or remote access via the Internet? How will access control be managed? How often will authentication materials be changed? How dynamic is the user population? Do IP addressing conflicts exist, and how will they be resolved? How many different OS platforms? How will security policies be enforced? How will security breaches be detected and remediated? If the environment will be relatively unchanging, once established, a Linux-based solution may be well suited.
Shameless plug: It might be worth considering a managed service provider that provides a complete security solution. OpenReach, the company I work for, provides one such solution, which we believe is well-suited to the needs of organizations such as those you describe.
This was first published in June 2003