I just cleared everything out and tried this:
set zone name "vpn" vrouter "trust-vr"
set interface tunnel.5 zone "vpn"
set interface tunnel.5 ip 172.21.1.1/24
set interface tunnel.5 mip 172.21.1.1 host 10.1.1.1 netmask 255.255.255.0 vrouter "trust-vr"
set route 172.27.175.0/24 interface tunnel.5
set route 172.18.245.0/24 interface tunnel.5
set address "vpn" "corporate-hosted" 172.18.245.0 255.255.255.0
set address "vpn" "vendor-server" 172.27.175.0 255.255.255.0
set address "trust" "local-net" 10.1.1.0 255.255.255.0
set ike gateway "vendor-ike" address A.A.A.B Main outgoing-interface untrust preshare "myvpnkey" proposal "pre-g2-3des-md5"
set vpn "vendor-vpn" gateway "vendor-ike" proposal "nopfs-esp-3des-md5"
set vpn "vendor-vpn" bind interface tunnel.5
set policy from "Trust" to "vpn" "local-net" "corporate-hosted" "ANY" permit
set policy from "vpn" to "Trust" "corporate-hosted" "MIP(172.21.1.1/24)" "ANY" permit
set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set flow tcp-mss 1350
Sending a test packet from the remote side I was getting an error in the firewall log stating that the Juniper was sending 0.0.0.0/0 as the proxy-ids so it didn't match any defined ACLs. I then added the proxy id for one of the subnets in quetsion but that errored out as well.
I reverted the changes but if there's a way to do this w/o scraping the idea I'd be open to it. I read an article (https://kb.juniper.net/InfoCenter/index?page=content&id=KB15314&actp=METADATA) that suggested that this might be possible using a DIP instead of a MIP but wasn't sure that would work either.