Once an IPSEC vpn is created you can choose the routes you want to transport over that link. Naturally they need to be configured on both sides.
With this only the gateway ip address needs to be reachable by the SSG. All other routes can be configured to go over the tunnel regardless of the paths and routes in between.