Default route across VPN tunnel

We are using IPsec over a Metro Ethernet connection. This connection provides no Internet service, only service to HQ. The goal is to send all traffic across the tunnel. Now I've found a solution but I don't know why it works... One default route is created by DHCP for WAN1 and given distance 5. Still I want to use the tunnel for everything, except IPsec traffic itself obviously! Apparently I have to use the same distance for a second default route (the one across the tunnel) or everything breaks (it sends everything across the tunnel or to wan).

Additionally in order to distinguish both default routes I have: 1) dropped priority (not distance) of default route set by DHCP of wan1 to 3 (instead of 0) 2) specified a second default route 0.0.0.0/0 -> VPN_HQ (the tunnel interface) with priority 0 (hence making it the boss) The kernel routing table, and therefore also route cache now look like this: tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=0.0.0.0 dev=34(VPN_HQ) tab=254 vf=1 scope=0 type=1 proto=11 prio=3 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.178.1 dev=5(wan1) It does what I want it to do. However I don't really understand how it knows that the outer-tunnel traffic should use wan1, while the inner-tunnel traffic uses VPN_HQ.

I would like to exclude that the fact that it is working is a bug. Or some side-effect which will make my life miserable in the future, like a ticking timebomb. In any case I haven't found any documents that would describe how to (correctly) create the setup that we desire... Any enlightenment on this matter is very welcome. Thanks, Marki