I think the way to go here is implementing a "full-mesh" VPN network through your 3 Internet entry points. I think that answers the feasibility. Adding VPN client is no problem either as long as you make sure that their "policies" will be delt after your VPN sites. Because your mobile users are bound not to have the same IP addresses each time they connect to the Internet, it's very important that those "wild card" source addresses are being treated AFTER the more precise and well-known Site addresses.
On the second and third point, I feel that the Cisco examples from the CCO would be more than sufficient to accomplish your task. I've delt with Cisco VPN for a very long time and , although there were errors in the configuration examples a year ago or so, the examples are now very mature and are exposing the solutions to your questions,
In the hope that this will help,
Charlieboy