Look also vyatta, there are a lot of how to in Russian on the internet. It has been in production for several years now. At first there was a Cisco 2811, but her fan was noisy. I took it off and while I was looking for a replacement for the fan (whoever changed it knows, you will find their horseradish) temporarily put vyatta on the virtual machine. Since then, 2 years have passed, Cisco is still in the closet.

I would put ASA5505 everywhere and put site2site and anyconnect on them (in the main office)

As an option cisco 28xx series. And there are expansion slots and can build channels (and only if the K9 series) and eigrp understands. In general, not a bad series - just for your needs. I use 2801 myself.

V-zero: the router is not made in the virtual machine.
First: since there are two inputs, there should be two devices.
Secondly, it is important to know what the load on the VPN will be, it depends on the bandwidth of the channel.
You can buy used Cisco, Juniper.
If there is no money, then Mikrotik. He can also use OpenVPN.
To set it up, it’s better to ask specialists, at the same time you will learn if you force the documentation to be issued.

Cisco 28xx / 35xx to the office, to Mikrotiki 751G branches, we do this, we don’t get sick. Mikrotiks are more than enough for a small office for VPN (including VoIP), DHCP, encrypted Wifi and much more. Doesn't itch at all.

If we put cats and the budget is not very large, then it is possible at flea markets like avito, Cisco 2801 for 10 tr. take.

And what at remote offices now costs as the gateway?

If there is a 2008R2 server - vpn, routing, nat on it according to accounts in AD + vpn the client is in each version of Windows.
If not - vyatta and linux / bsd on the server and openvpn on Windows at regional offices.
Mail - if it glows outward, then it will be available regardless of the VPN connection.
PS The router is normally done in a virtual machine with two network forwarding - if the hypervisor falls, then believe me, there will be no time for a proxy, and if the virtual machine falls - frya and Linux in the minimum configuration weigh several hundred meters, it takes a minute to raise from backup. Even a 30 gigabyte Windows virtual machine rises quickly.

In general, the UC series for branches is not very bad, not for large ones, but let's say small and medium ones. There already both voip and voice mail. Their only minus is not supported by eigrp, although it needs to be clarified, maybe they have already added it in new models / ios.

In the head office ISR4321-SEC / K9 (namely SEC) without it, VPN cannot be thrown. To offices C881-K9 .
Or head ASA5512-K8 + license L-ASA5512-SEC-PL to offices ASA5505-SEC-BUN-K9 The second option is more classic.