There are a number of issues associated with VPNs, or Virtual Private Networks.
The first question is, do you absolutely need encryption between these sites? If you do not need encryption, then you can ask your network operator to configure the two sites on their own VLAN (Virtual LAN). Their traffic can then be routed at the teleport from one site to any other site(s) in the VLAN. The iDirect system is inherently quite secure without encryption. Trying to figure out which remote site is transmitting in which timeslot at any given point in time is quite difficult and will require a signficant reverse engineering effort. Each iDirect modem has a burned in hardware address and can only receive data that is directed to it.
If you require encryption between the two sites, then you will need a VPN appliance or software. The most popular VPN solutions are IPSec and they are available from many vendors such as Cisco, Juniper, Nortel, 3Com and many others. There isn't any particular model that will work better with iDirect than any other.
Another possible option is an SSL-VPN. Because IPSec (or PPTP from Microsoft) encrypt the TCP headers on each packet, the TCP/HTTP Acceleration features of the iDirect (or any other) modem is disabled. You already have a significant delay issue to deal with here because your traffic must make a double satellite hop, unless you are using mesh. SSL-VPNs only encrypt the data, and leave the TCP headers alone so that TCP/HTTP Acceleration continues to operate properly.
There are pre-acceleration devices such as iDirect's 1100 Network Accelerator, or UDCast or Packeteer/Mentat, that provide TCP/HTTP Acceleration before the data gets encrypted. These external appliances sit between the LAN and the VPN appliance -but they increase the cost of the solution.
iDirect has their own encryption option that you can run over the system, however this will require that the network operator support the encryption line card in their hub. They will surely charge more to use this service. It's not cost effective for network operators to add this option unless they have enough sites interested in using it. The advantage of the built-in encryption is that TCP/HTTP Acceleration continues to work.
I'm afraid that a typical IPSec VPN connection over a double-hop satellite link is going to result in same day service - i.e. very slow!
Hopefully your application doesn't require end-to-end encryption and your network operator can simply configure the sites on a VLAN so they can be routed to each other.
In response to your question about whether adding additional sites requires additional VPN appliances, the answer is Yes, if you are using IPSec. You build or configure "tunnels" between the sites that want to communicate with each other. As you add more sites, you have to configure more tunnels. Most appliances have some limit on the number they support, so this has to be taken into consideration when selecting the right model.
Hope this helps,
Business Satellite Solutions, LLCwww.bsatellite.com