I think we're not on the same page.
According to your configuration, private IP devices from the 172.16.12.0/24 subnet should NOT be able to access the internet. The reason being is that you have NAT configuration for Trust -> Untrust traffic and security policy for Trust -> Untrust traffic, but you do NOT have either of those for IPSEC-VPN -> Untrust traffic.