PPTP is bad; the control & authentication channels are outside the encryption.

L2TP is better, but by itself the protections suck (weak encryption).

Cisco's IPSec + XAUTH suffers from incompatibility with, oh, everything not Cisco, and has a group enumeration vulnerability.

L2TP/IPSec is best of the lot, but it really needs EAP-TLS authentication to be secure.

SSL VPNs are the new buzzword, but they make you jump through hoops to transport anything other than application protocols.

Nah, I'm not cynical.

-- C