Still puzzles me how you can have IP address on an interface (=default vlan1 untagged) and have VIF1 (=default vlan1 tagged) at the same time
What's the intention of 10.1.1.0/24 route?
You manually configured remote IPSEC peer as next hop for it, but this peer isn't directly connected.
If you want to route packets over a VPN tunnel, use VTI interfaces