OK. I believe it is definately preserving the markings on encryption. here is what I do.
in prerouting mangle table, I mark the packets based on DSCP, address:port, whatever as VOIP.
I then create a queue tree with a queue dedicated to VOIP. The queue tree is attached to my external interface.
My SIP proxy is on the other end of my IPSEC tunnel. It is also an RTP proxy, so ALL traffic from the phone goes through my IP PBX on the other end of the IPSEC tunnel.
When I am on a call I see the traffic in my VOIP queue.
It seems that the default behaviour is to honour markings of the traffic in the tunnel after encryption. There does not seem to be any way to stop this and I think there should be, but if you had to pick one option, I believe the engineers picked the right one.
I agree with nz_monkey re: the VTI interface. This thread started because I had such a tough time trying to get traffic through the tunnel from the router itself. Not too keen to use GRE, or EOIP. If I can get the NAT rules to be reliable, I would prefer that. Meanwhile I have given up trying to do DHCP relay for now.