Currently using an ASA 5505 solely as a VPN Concentrator terminating a handful of L2L IPSec tunnels. This old guy is a workhorse but it just can’t do some of the encryption methods some of my vendors are looking to run. I noticed that the ASA5506-X are the replacement, but I imagine EOL will be announced on those fairly soon. Any recommendations on a replacement for my 5505?
The Fortinet 60e might fit nicely as well. For pure crypto throughput, it’s a beast for the price…
Palo Alto PA-220 and never look back. I was a die hard Cisco ASA user and made the switch to PAN a few years ago. Highly recommended!
I manage a bunch of pulse secure vpn appliances and vastly prefer those over the ASA. Don’t even think about sonicwall sslvpns.
Fortigate 100e or 200e should do you right.
If it’s only L2L I would suggest a couple of Juniper SRXs.
It might be a little confusing at first but as with the ASAs. It just runs when configured.
OpenVPN has been great for us.
I’d really look at Fortigate if you just need to terminate VPN tunnels. We have a 500D with ~1500 tunnels negotiated to it at anytime and it handles it without breaking a sweat. Even their low end models like the 60E can do 2Gbps of IPSec throughput without any additional licensing, I’ve pushed up to 1Gbps IPSec through our 60E. Also client access VPN requires no additional licensing. It’s a fantastic VPN appliance overall, really does a great job for us.
Here, pick one 
FortiGates are the best for IPSec and SSL. Check the data sheet for the number of tunnels supported by model. FortiClient VPN is a free software which users can download for IPSec and SSL connections to work remotely without having to worry about licensing and only about what the firewall can handle. We have two 1000Ds at each of our data centers running in HA and they can support 10,000 SSL users each. Also, the GUI is clean and nice looking while the CLI commands are easy to learn or google if needed. Calling in to support usually gets you an engineer within a reasonable amount of time as well.
No Juniper SRA love? We put in an SRA 1000 pair at our very edge just for site to site VPN, BGP, and with big bulk inbound block rules to block all the weirdo ports (we have no inbound FTP, SSH, etc etc so block everything but 80, 443, 25, etc) to keep our next layer firewall (PAN5020s) logs cleaner.
All client VPN is PAN as it is excellent, works cross platform, super configurable policies - just works.
I use a pair of ASR1006 as my site to site VPN concentrators.
They work really well and support everything.
Not cheap, though.
New entrant which I haven’t used myself but looks interesting. I hear AT&T are deploying a load of these for VPN:
I’ve been using an x86 RouterOS box to do the majority of my VPN tunnels, handles my ipsec tunnels to Merakis, ASAs, Sophos(sophiii?), watchguards, and supports openssl vpns for clients as well. It also does ha and all that happy 
relatively easily
Fair warning I work for the company, but I’m off the clock and not paid to talk about it - I just highly recommend our product.
If you have a virtual environment, you might consider looking at Cohesive Networks’ VNS3. It’s cloud-native, but will run just about anywhere. Having used just about every vendor’s products, I can say that VNS3 is just about the easiest one to get IPSec connectivity set up.
It’s also cheaper than just about anything else out there for most use cases.
We’re always happy to give demos or POC licenses if you care to check it out.
We still have a firepower running ASA code. Even with the new bells and whistles the setup of older policy-based vpns is good but only if your good with ASA troubleshooting. When you add in ikev2 and routed-basdd vpns, the shiny luster of ASA gets tarnished pretty badly. We still have all types of those tunnels, they work okay. Of note, be prepared to pull out some strong BGP design and configuration for your routed VPN setups. The ASA has a BGP feature set that causes some head scratches at times.
We also have Fortinets and Palo Altos. Of those two, we vastly prefer Palo Alto. Troubleshooting, visibility and configuration are easier and they are VERY capable and solid devices even outside of that purpose.
I’d recommended a bake off between two vendors and letting them know price is being compared to functionality in your bake off. This let’s you try a simple and complex tunnel with both and pick a winner based on its strengths for you.
I would usually go with a suitable ISR for this kind of scenario. Something in the ISR4K for example, depending on bandwidth requirements.
The new Firepower 1010 is the replacement for the 5506-X and it should have ASA support around 6.5. If you need something today you could go 5508-X which would include all the same features as the 5506-X.
ASA all the way for a VPN concentrator. Solid and reliable platform.
I have a WatchGuard Firebox M440 for my IPSEC and SSL VPNs and have no issues at all. I have yet to run into any features that aren’t available and I work in HealthCare, so our vendors are pretty security oriented.
edit: and the gui is extremely nice and they have a standalone windows application that works well.