Peter,
Got some older computers lying around? Take a look at IPCop.org....a simple firewall, proxy, IPSEC VPN router that is easy to set up, GPL, and a small download.
I have incorporated IPCop as my 'primary' internet connection at each location. I have experienced the problems you have posted, and basically have gone through this headache with every e-smith/SME upgrade. IPCop is a simple router and is designed to connect LANs with IPSEC. I am very happy with IPCop. You can continue to use SME in server/gateway by putting the outer nick card on the DMZ subnet with the IPCop server....or just run SME as server only mode. IPCop 1.3 allows you to easily port forward PPTP vpn to SME on the LAN if you only have a single internet IP address available at your site. This allows you to keep PPTP to SME without SME being on the internet. Setting up IPSEC on IPcop is simple if you have read the documentation completely.
Have fun.
ryan