do you really need to manually add routes for that? the IVE knows where to route the traffic to when it goes to the VPN(NC)-IP-Pool. I only have the two default routes and my NC-IP-Pool is completely different from the subnet in which the IVE is connected.

How do other routers in the network especially the upstream router know where to send the return traffic for the VPN(NC)-IP-Pool?

legend for the following explanation:

192.168.1.0/24 = NC-IP-Pool

10.1.1.1 = firewall

192.168.2.3 = IVE Virt IP

all routers have its route to the core router...

core router has its way to the firewall:

192.168.1.0/24 [1/0] via 10.1.1.1

the firewall routes the traffic directly to the IVE's virtual IP

192.168.1.0/24 via 192.168.2.3

hope this helps

edit: or what do you mean by return traffic?

Let's add in the assumptions that:

192.168.2.2 = IP of IVE internal interface

Ok, so we were talking about the same thing My question was where does the firewall, in the example you gave, point at as gateway for 192.168.1.0/24. Is it 192.168.2.3 (IVE Virt IP) or 192.168.2.2 (IVE Internal Interface IP)?

And so, you answered my query. Thanks!

By return traffic, I mean a IVE user, say 192.168.1.10, will have their packed routed to a destination, say 10.2.2.2, but then without proper routes added for 192.168.1.0/24, the responses won't get routed back from 10.2.2.2 to 192.168.1.10.