Well, the perimeter security issues mentioned above, plus a firewall should give the option of VPN with or without trust. For example, I would prefer all sessions between my firewall and my clients and business partners to be encrypted — to be VPNs. But, I want all of them to run up against my firewall if they try to do anything besides what I permit. On the other hand, if I dial in from the speaker's lounge at a conference, I would like a private connection (that is to say, encrypted) that also looks and feels like a virtual "inside" connection, just as if I was sitting in the office.
VPNs are typically handled as just another job by the network or system administrator staff. Whoever is managing the firewall today can easily add VPN management to the plate because once a VPN is set up there is little else to do on most implementations.
Privacy from end to end. The cryptography used, generally speaking, is very good. Whatever you do, that is encrypted, is very well hidden from sniffers on the net. Whatever is not encrypted, you may as well shout from the rooftops or post on your web page.
Many vendors claim to be IPSEC-compliant. The real requirement should be "list the other products with which you can communicate" Also, a customer should want to know how automatic the key exchange mechanism is? In a perfect world — in an IPSEC world — it would be automatic. If a Virtual Network Perimeter (VNP, not VPN) is used, how easy is it to deploy the software to mobile PC users? How much does it interfere with normal network operation from a mobile PC, if at all? What crypto algorithms are used? What key length?
Aventail is a leader in this market. All the major firewall vendors and router vendors are in it as well. On the client side, Timestep and V-ONE are big.