Firstoff, the Cisco 2821 is just a router. I don't know where you've gotten this "layer 2 router" business from (the statement is an oxymoron in itself), but a 2821 is a perfectly capable IP router.
You don't want to extend a layer 2 broadcast domain across a VPN. You won't like how it performs.
Let's call your existing location "site A" and the new location "site B". Let's call the networks:
- Site A Data subnet - VLAN id 1 - 192.168.0.0/24
- Site A Voice subnet - VLAN id 2 - 192.168.1.0/24
- Site B Data subnet - VLAN id 1 - 192.168.2.0/24
- Site B Voice subnet - VLAN id 2 - 192.168.3.0/24
In your 2821's, you'd setup an IPSEC tunnel between the sites. Here's a decent example using a static key: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
Once you've got that, you'll create VLAN interfaces on the routers on each end, assigning the routers IP addresses in each VLAN:
Router in Site A:
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.0.1 255.255.255.0
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.1.1 255.255.255.0
Router in Site B:
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.3.1 255.255.255.0
Assuming you've set the IPSEC tunnel up properly w/ the proper addresses being excluded from NAT, traffic between the various subnets in the sites will be transparently encrypted and sent to the other end. The routers at each end will, because of their VLAN interfaces and static routing table entries, automatically tag traffic with the appropriate VLAN tags and drop them onto the Ethernet.
You'll need to configure the switches at both ends with trunk ports to connect the routers to, and you'll have to figure out how to integrate the Site A router into your existing routing topology re: the existing ASA-5505, but this should give you enough to go on to get started.
Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)
Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.
EDIT
That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.
if you were following the instructions there, you probably applied the crypto map like this:
crypto map outside_map interface outside
if you are testing on the same lan you would need to do this:
crypto map outside_map interface inside
Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.
If that doesn't work, would you be willing put post your running config?
EDIT 2:
Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.
Best Answer
As far as I know, VLANs are a concept that is local to a switch. In consequence the VLANs on site1 are always completely independent from the VLANs on site2.