I'll do it using CSipSimple Opensource SIP stack, but take note that G729 requires licensing, and costs 10$/channel so it may not be something you want to ship along. SIP clients which support g729 offer it as a premium feature (check bria). regarding IPSEC, it's security at IP level, meaning it's only configured at app level, but should be available at OS level to work. If your aim with tunnel is to bypass firewall restrictions, you can do it in other ways using OpenSSL for instance, or even having the client connect to different ports/url/protocols (TCP/TLS/UDP). If the aim in security is to avoid traffic being sniffed, you can use secure SIP, along with zrtp for secure media. to avoid giving user SIP credentials, it can be implemented using REST services hosted on apache/iis. The SIP client never sends the password over the wire to the pbx, so it can't be sniffed afterwards.
I can consider doing this over IOS, for similar cost.