Indeed, the user is the worst thing that can happen to a system. Some years ago, I got a job as sys admin. I soon did a security audit, defined a security policy, wrote procedures, issued new usernames/passwords to the users (no domain controller), updated the passwords of every machine etc. and a month later I found out that there where post-it notes with usernames/passwords underneath the screens!
I don't know the resource requirements for IPsec but I have seen some sort of it implemented in modems and routers that where using ARM7 or 9 so I believe it should be doable, but I have no experience in this.