Hi,
Usually VPN policy lookup happens from the decryption interface's zone to the destination address zone. And mostly it's either untrust to LAN side or tunnel interface zone to LAN side zone.
1: Is it policy based VPN or route based?
2: You are referring to the users connecting to VPN from outside from the Internet OR users in you LAN side communication with the VPN users?
Thanks,
VIkas