Can you set the VPN to allow access from eternal IPs using the object list the same way you do for router management ?
we like to have a VPN setup to allow access to VoIP handsets we have on site , but with L2TP with Ipsec enabled the router fails it's PCI scan

I don't believe you can - the VPN server is upstream of the Firewall.

What sort of VPN connection is it - LAN-to-LAN or Dial-in User?

Using IKE Main Mode, restricting access to a particular IP is the default position ...

For a LAN-to-LAN connection, tick [ ]Specify Remote VPN Gateway and fill in the IP address of "Peer VPN Server IP". This should 'un-grey' IKE Pre-Shared Key, in the IKE Authentication Method - where you can enter a Pre-Shared Key specific to that connection.

There's something similar in a Remote Dial-in User entry (but it says [ ]Specify Remote Node, on my 2860).

Make sure the "General Pre-Shared Key" @ VPN IKE/IPsec General Setup is either not set up, or is different. (This is how Draytek seem to get round the requirement for a Fixed IP address, when using Main Mode) - it's also used for Aggressive Mode. If it's not configured, no one can connect without using Main Mode and going through one of the aforementioned routes, which will be tied to IP addresses.

It's worth noting that I'm talking somewhat hypothetically - I've never actually used this configuration...