Cisco 851 IPsec VPN to Concentrator 3000 with VOIP to UC520

I had an interesting couple of days configuring, testing and troubleshooting an 851 router remote client ezvpn configuration for use with a Concentrator 3000. Here's the scenario. The main office network utilizes a Concentrator 3000 for secure remote access as well as a Cisco UC520 IP phone system. The idea is to deploy a couple of the 851 routers along with IP hand sets to homes of remote users. The home users internet connections are non static (dhcp). Always on VPN tunnel would need one time authentication with split tunnel and split dns enabled. Ezpn on the 851 was configured through SDM with http intercept authentication enabled. Sample code:

crypto ipsec client ezvpn REMOTE
 connect auto
 group RemoteUsers key cisco123
 mode client
 peer Concentrator IP
 xauth userid mode http-intercept
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto ipsec client ezvpn REMOTE
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn REMOTE inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp

Split tunnel with corresponding network list entries was configured on the concentrator. The first time I tried to authenticate from the VPN tunnel Activation Tool webpage, it kept failing. I connected to SDM to try and bring up the VPN tunnel from there, but got an SSH login prompt instead of the XAuth prompt.

Logging in with the routers username and password got me past the SSH login prompt and finally brought up the XAuth prompts for the VPN tunnel. I entered my credentials and the tunnel came up after that. I was able to use the http intercept login page only after disabling ip http secure server.

ip http server
ip http authentication local
no ip http secure-server  <-- Disabled this line and was able to bring up the tunnel from the http intercept page

For the ip phone, Option 150 10.1.1.1 was added to the 851 routers local DHCP pool configuration. The phone successfully registered a few moments after the tunnel came up. For split dns, the 851 router DHCP pool was configured with external and main office internal dns and wins ip's. The router's ip domain name setting was configured with the main office network internal dns domain name.

ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 4.2.2.1 192.168.1.x 216.136.95.2
   default-router 192.168.2.1
   option 150 ip 10.1.1.1 <-- UC520
   netbios-name-server 192.168.1.x 192.168.1.x