Ok thanks. So something like this:
set interface "tunnel.2" mip 10.0.2.0 host 10.0.1.0 netmask 255.255.255.0
vr "trust-vr"
set policy from "Untrust" to "Trust" "172.25.102.0/24" "MIP(10.0.2.0/24)" "ANY" permit
And then in the tunnel configuration for the other side I'd set it to expect traffic from 10.0.2.0/24 addresses?
Would this pose a problem w/ the traffic from 172.25.101.0/24? If possible I'd like to not nat the source traffic from 172.25.101.0/24 as dns rides over this tunnel.