The main site has a fixed IP on the WAN side of the router which allows the remote site to find it. This site authenticates to the remote site "IP address only".
The remote site has PPPoE so it's actual IP address is unknown to the main site. When it contacts the main site it hands it the current IP address and an email address. If the email address matches what the main site expects the connection is accepted. This is separate from the encryption keys which are then negotiated.
The sites recognize each other on the WAN side and both register "connected" which means authentication has succeeded. I don't know for sure yet if the encryption negotiation is working. The method selected is based on "previously known key".
What I listed were the LAN subnets at each end, and each knows the subnet address of the other so presumably routing can occurr through the tunnel even though these are "private" IP addresses,