The system IP ideally is not a routable IP, it is just an identificador as it is not an IP itself....it only uses the IPv4 notation.
However it is a good practice to create a loopback in the service VPN for management with that IP however it is not m...
The specific legacy Site-to-site VPN (the one that you match interesting traffic) is not supported, the only supported one is via VTI wth protected ipsec command which basically leverages the standard phase1 ISAKMP and phase2 for IPsec
If you have and "X" AAR policy with scope of "Y", sites you willl receive only SLA events for these "Y" sites so please make sure the scope of the sites id's you are covering with the policy.