You will also need to know if the DSL requires PPPoE (point-to-point protocol over Ethernet). If so, then make sure that your VPN/firewall is able to terminate PPPoE. Otherwise, you'll need to use one of your PCs as the Internet gateway device so it can terminate PPPoE with software provide by the ISP. This gets pretty messy. Your ISP should be able to tell you what firewall/VPN appliances work with their service.
If you want to have multiple machines at each location, make sure your firewall supports Internet connection sharing (ICS). Almost all do, but it's good to check.
Some protocols like IPsec don't traverse NAT well. If you're working with publicly routable addresses for both your VPN devices, you won't have any problems with NAT. On the other hand, if you're working with private addresses that are being NAT'ed by another firewall or by the ISP, you'll need a VPN device that can encapsulate the IPsec inside TCP or UDP to get through the NAT.
One last note, TCP/UDP encapsulation chews up processing power, causing devices to perform 50% slower than with pure IPsec. So, if you need to use TCP/UDP encapsulation, you may want to upgrade the VPN/firewall appliance to one a little more powerful.
This was first published in June 2002