VPN - default gateway for site to site VPN

In a typical setup for a site-to-site IPsec VPN using Cisco ASA, you don’t need specific static routes for the remote IPs that are used in phase 2 selectors. The phase 2 “selectors” are essentially the defined address ranges within the crypto ACL that specify the interesting traffic for the VPN. These are the subnets or hosts you wish to protect by the VPN.

When traffic matches the criteria specified in that ACL, the VPN is invoked and the traffic is sent over the tunnel.

The Cisco ASA will route traffic based on its Routing Table. It checks the destination of the packet and finds the egress interface. If the traffic matches an interesting traffic defined for a VPN tunnel, then the traffic is encrypted and sent through the tunnel. Otherwise, it is routed normally as per the routing table.

The default route that directs traffic towards the WAN IP will route normal traffic, and not traffic that is matched by the ACL. Matched traffic will be encrypted and will be sent through the VPN tunnel. If traffic matches such an ACL, no routing information is necessary, since the VPN is a point-to-point construct.

This is a similar concept to the reasoning behind the fact that a VPN client doesn't need a configured default gateway.