Firstoff, the Cisco 2821 is just a router. I don't know where you've gotten this "layer 2 router" business from (the statement is an oxymoron in itself), but a 2821 is a perfectly capable IP router.
You don't want to extend a layer 2 broadcast domain across a VPN. You won't like how it performs.
Let's call your existing location "site A" and the new location "site B". Let's call the networks:
- Site A Data subnet - VLAN id 1 - 192.168.0.0/24
- Site A Voice subnet - VLAN id 2 - 192.168.1.0/24
- Site B Data subnet - VLAN id 1 - 192.168.2.0/24
- Site B Voice subnet - VLAN id 2 - 192.168.3.0/24
In your 2821's, you'd setup an IPSEC tunnel between the sites. Here's a decent example using a static key: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
Once you've got that, you'll create VLAN interfaces on the routers on each end, assigning the routers IP addresses in each VLAN:
Router in Site A:
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.0.1 255.255.255.0
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.1.1 255.255.255.0
Router in Site B:
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.1
encapsulation dot1q 1 native
ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/0.2
encapsulation dot1q 2
ip address 192.168.3.1 255.255.255.0
Assuming you've set the IPSEC tunnel up properly w/ the proper addresses being excluded from NAT, traffic between the various subnets in the sites will be transparently encrypted and sent to the other end. The routers at each end will, because of their VLAN interfaces and static routing table entries, automatically tag traffic with the appropriate VLAN tags and drop them onto the Ethernet.
You'll need to configure the switches at both ends with trunk ports to connect the routers to, and you'll have to figure out how to integrate the Site A router into your existing routing topology re: the existing ASA-5505, but this should give you enough to go on to get started.
Best Answer
No, per definition. IpSec is an IP level security tunnel. Vlans are ethernet level.
Yes. This is a maintenance nightmare if it gets too much and is not automated in management, but it is possible.
If you put up an ethernet tunnel between them - not sure this is possible - you can then use the "normal" VLAN packets.
http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ir-eogre.html
has some information, though I am not sure this works on the 1841. But this would allow you to basically send ethernet frames with VLAN information embedded.
Alternatively a multi routing table setup may work - depends on WHY you have VLANS in the first place. or something based on MPLS - VPLS. The 1841 does not talk that one though.
More professional routers may allow something like NVGRE for that purpose. Well, not exactly professional - but the 1841 is more an edge level router not something to use in the core.
It seems that the 1841 can do VPLS - that would work best then. Requires you to configure a MPLS setup.
Main problem answering is that a lot of the choices depends on what you actually try to do from a business point of view and how much control you have over the routers at each endpoint.