Hello,
i have a FreePBX (asterisk) system as my pbx. It is connected to my Mikrotik.
PBX: 10.0.0.210
Mikrotik: 10.0.0.1/24

I have two Mikrotik i have setup server l2tp VPN and client VPN.
Server Mikrotik VPN Adr local: 10.100.0.1
Client mikrotik VPN Remote Address: 10.100.0.2

Inside my internal lan, 10.0.0.0/24, everything is working fine as voip telephony concerned.
When i connected through VPN, i can register my sip phone and i can call every number i want (internal or external). The callee is ringing normally. But i cannot hear anything, he cannot hear anything. There is no audio even in our internal calls.

I am thinking i miss something ... Are the RTP packets that are not passing through? Do i need a NAT rule? I tried to add firewall rule of accepting input chain the tcp 5060,5061 and the udp of my RTP port range but no success ...

I assume that maybe some routes are missing in VPN.
If you are using VPN than no NAT is needed if everything is configured properly.
Wireshark dump will tell you more...

In IP/Firewall/Raw add a rule with source as your VPN pool and destination as your PBX IP in prerouting chain and with action no track.
Copy the rule and reverse source with destination.

(admins - how can I delete an empty post?)

In IP/Firewall/Raw add a rule with source as your VPN pool and destination as your PBX IP in prerouting chain and with action no track.
Copy the rule and reverse source with destination.

@inteq - your solution worked for me. I'm not any the wiser as to why this rule works the way it does, but it solved a problem where I was connecting an IP phone over IPSEC to a phone system at a remote network, that has no working audio without the additional configuration you suggested. Thank you.

(admins - how can I delete an empty post?)

Next to the "edit post" button, there should be a "delete post" one - the [X] one in my skin. It asks you for a brief reasoning of the deletion in the next step. Or you press the "edit post" and there are two more options on the Options tab below the editing field:
[ ] Delete this post
[ ] Permanently delete this post so it can not be recovered

Let me know once you delete your post so I could delete this one

Hello,
i have a FreePBX (asterisk) system as my pbx. It is connected to my Mikrotik.
PBX: 10.0.0.210
Mikrotik: 10.0.0.1/24

I have two Mikrotik i have setup server l2tp VPN and client VPN.
Server Mikrotik VPN Adr local: 10.100.0.1
Client mikrotik VPN Remote Address: 10.100.0.2

Inside my internal lan, 10.0.0.0/24, everything is working fine as voip telephony concerned.
When i connected through VPN, i can register my sip phone and i can call every number i want (internal or external). The callee is ringing normally. But i cannot hear anything, he cannot hear anything. There is no audio even in our internal calls.

I am thinking i miss something ... Are the RTP packets that are not passing through? Do i need a NAT rule? I tried to add firewall rule of accepting input chain the tcp 5060,5061 and the udp of my RTP port range but no success ...

first of all give us ping to server with and without VPN

Check the values for
Settings -> asterisk sip settings -> general sip settings -> nat settings -> local networks

If your network is not listed here, it will be precessed as at nat connection, even if it is not.

One of the symptoms of mis configured nat settings is no audio.

I'm not any the wiser as to why this rule works the way it does

The reason is how IPsec interworks with regular routing and the firewall. If the regular routing sends a packet via some interface, and there is a src-nat or masquerade rule matching on that out-interface(-list) that changes the source address of the packet, the packet may not match to the traffic selector of the IPsec policy any more (in your particular case) or, reverse, it may start matching a traffic selector it otherwise wouldn't (in cases where the router acts as an IPsec initiator that requests IP address from the responder using the mode-config method).

Using the rule proposed by @inteq is one way to prevent the inter-site traffic from getting src-nated, as NAT is one of many functions of connection tracking, and the action=notrack rule in raw excludes the packet from being handled by the connection tracking module.

Other ways how to resolve your issue are also available, an action=accept rule shadowing the src-nat/masquerade one in /ip firewall nat, a route via another interface on which the src-nat/masquerade rule doesn't match). It all depends on your overall needs - action=notrack in raw also prevents stateful firewall from working for the matching traffic, but the other side of this is that excluding packets from connection tracking reduces the amount of CPU spend on their processing.