On the side of the VPN tunnel is the 172.17.1.0/24 network. I they want to get to the 172.16.12.0/24 network they need to go through the VPN tunnel IPSEC-VPN.
I f the traffic is destined for any public internet address they should just go through from trust to untrust directly and be NAT'ed.
It is almost as if the ge-0/0/0 thru ge-0/0/5, not being in the trust zone, are not able to communicate through anywhere. How would I get them included in the trust zone? The system will not allow it because of the mix between l2 and l3 interfaces. Since the untrust interface is a l3 interface the trust interface must also be l3. This is why the trust interface is irb.0. Since the other interfaces, ge-0/0/0 thru ge-0/0/5 are l2 they cannot be added to the trust zone.
I hope this helps.