My advice is to get a firewall which has the ability to do SSL VPNs.
You're right about looking towards SSL VPNs. SSL VPNs provide so much more flexibility than the old traditional client dependent DES/3DES, AES/AES128/AES192/AES256. While there are some places which still require this, most people have converted over to using SSL VPNs. SSL VPNs gives you the option of going client-less or full client. In the client-less mode, the end user doesn't need to have install privileges on their remote PC. Nor does the end user need to have a full client running to access the SSL VPN. The user connects in to a web page, authenticates, and then is presented a desktop of services/resources/applications for which the user has permissions to access. The SSL VPN appliance acts as a proxy. In the full client mode, the user must have privileges to download and install the client or the client must already be installed. This provides the most flexibility in terms of accessing the central network as the full client places the remote PC on the central network. The amount of access can still be controlled with access rules placed on a per user basis.
I've been using VPNs for a long time. I've skipped over the PPTP technology and gone to 3DES, then AES 256, and now SSL VPNs. My first VPN appliance was a Netgear FVS318 which I have moved on to now using a SonicWall Aventail SRA virtual appliance and a Cisco ASA 5505. My current edge firewall is a SonicWall TZ215 which also have SSL VPN capability but I haven't bothered to set it up on this box. The advantage of having a firewall with SSL VPN capabilities is that it keeps your configuration simple. This one box does all your routing, firewall, and VPN services. You don't have to mess with port forward/access rules to send external traffic to a separate device.
With the SonicWall Aventail, I have a mobile client on my smart phone which allows me to access my home network securely and my laptops which I take on the go have the PC client loaded. I still use the Cisco ASA version for specific access to a management subnet I have set up. Although I have configured the Aventail to now have access to the management subnet which it didn't when I first set it up, I sitll keep the ASA going as a backup connection.
I also like using SSL VPNs because the network traffic looks so innocuous that many public hot spots won't block this traffic where as regular VPN traffic sticks out like a sore thumb.