I have found one of the most diffcult thing to do in a VPN connect is that you may not have control over what the end user always does. For example lap tops you install and configure the OS for the VPN etc and all works well during testing. Usually the users has elevated rights both at the firewall and their lap top? Unless you can control the end PC or lap top rights and policies fully then it can be secure if their son or daughter use the PC lap top to surf and do their thing you got a ton of problems. Emote users are diffcult to control even more so if they have senior status where you work and demand local admin rights on their systems but are totally lame users.