Was talking to Greg Hughes today about VPN solutions. Had an interesting conversation as far as IPSEC clients go.
For most IPSEC clients, the fact that their tunnels don't go over the normal web ports (80 and 443) is a big disadvantage. Some hotels, colleges and other networks block pretty much anything but port 80 and 443 or require you to use a proxy for other services. This means that an IPSEC client like Netscreen Remote (or SonicWall's client, or WatchGuard's client, or any client based on the same client that they all use) is completely nonfunctional when used in this sort of network.
Anyhow, found out from Greg that Cisco's VPN client (most likely when used with a Cisco Pix firewall) can be set up to send IPSEC traffic over port 443. This means that even though their client is still sending IPSEC traffic, because it creates the tunnel on port 443 it will have no problems working when a user is in one of those more restrictive networks.
I'm sure that Checkpoint's client has similar functionality, but most companies will find it hard to justify the cost of a Checkpoint firewall.
The point is that if you are looking for an all in one hardware/software firewall and VPN solution, take a closer look at the Cisco Pix line of firewalls. Sounds to me like you will be glad you did.
For the rest of us, there's always SSLExplorer. :)
By the way, after I wrote this, I saw that Greg had posted more info on this on his blog.
For client based VPN solutions, he obviously favors Cisco's client (what I wrote above is a very good reason why), but I personally favor clientless VPN solutions as they are easier to deploy and manage, in my opinion.