After summarizing all the clues I think I'll give a chance to OpenVPN + OpenBSD 3.9 combination primarily due to questionable quality of windows clients IPsec+IP stack (as I said in my first post - windows clients will comprise about 99% of all my VPN client base).
The differentiation between OS (OpenBSD) and the service (OpenVPN package) will be clearly stated to the upper management, including OpenBSD's proactive- and overall security reputation. Also, as this VPN service will be added to our existing service monitoring framework, and as the great majority of clients will be our own system administrators (VPN will be used for remote access in the case of interventions), this combination should probably suffice. The VPN service will not be sold to external clients. Thanks to everyone for valuable opinions and comments! j. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com