IPSec local IP


I am using the VyOS virtual appliance on AWS to interconnect VPCs cross regions. I have a VPC where my VyOS routers reside in that acts as a transit VPC and I terminate AWS VPN tunnels on the VyOS appliances.

I have seen in all the configuration examples that I have found, that the ipsec local-address is set to the private IP of eth0 and the ipsec interface is also set to eth0. This configuration in itself works 100% but I was wondering about the feasibility of setting the tunnel source to the vti interface - or is that not possible or advisable?

The reason I thought this would be useful is because it would give me the ability to disable the vti interface to force the tunnel down. Currently, with eth0 being the ipsec interface, when I disable the vti interface, the BGP session would disconnect but the tunnel will stay up.

Your insights on this would be appreciated.