Yes...this should work. HOWEVER, in the routing table config for VPN on the IAP, you MUST define the physical interfaces for that detination subnet.
For example
Consider an organization with 2 datacenters: DC1 and DC2: Each datacenter has a pair of VRRP based redundant controllers.
- Primary datacenter (DC1)
- The physical IP of the master controller in the primary datacenter is 10.68.33.6
- The physical IP of the VRRP backup controller in the primary datacenter is 10.68.33.7
- The Virtual IP between the master and VRRP backup controller in the primary datacenter is 10.68.33.8
- Backup datacenter (DC2)
- The physical IP of the master controller in the backup datacenter is 10.68.48.6
- The physical IP of the VRRP backup controller in the backup datacenter is 10.68.48.7
- The Virtual IP between the master and VRRP backup controller in the backup datacenter is 10.68.48.8
- In this case the routing profile on a IAP branch that wants to tunnel 10.0.0.0 /8 will be :
- 10.0.0.0 255.0.0.0 10.68.33.6
- 10.0.0.0 255.0.0.0 10.68.33.7
- 10.0.0.0 255.0.0.0 10.68.48.6
- 10.0.0.0 255.0.0.0 10.68.48.7