Dhaval Thakar wrote:
If you could use a lower CPU intensive crypt like blowfish, it would be easier.
Are all these trading partners in different locations or are there semi large groups in the same locations?
all these are end users. they connect software from home / offices.
Do they actually need a generic VPN? If they only run a few applications you might be able to use https or similar ssl based connections and avoid the routing/addressing/MTU issues. You can still use certificate based authentication in one or both directions if you want.
Also if the application(s) can be made to run over normal https (i.e. a web interface) you get the advantage of working though most existing proxies and firewalls, plus on the host end you have the option of scaling up with a load balancer that handles the ssl processing and reverse-proxies to a pool of backend servers.
they need database access. I prefre providing database over vpn rather providing via internet on different tcp port.