I'm assuming that by "default gateway" you mean the xx.xx.xx.1 address listed as gateway for eth0/0.
So, you have the gateway address of xx.xx.xx.1 in the Untrust zone, and the VPN client in the Untrust zone as well, but your dial-up VPN policy is for traffic between zone Untrust and Trust, hence there's no policy to facilitate traffic between the VPN client and the default gateway.
The SA would normally expire if there's no traffic (e.g. real traffic, or keep-alives, or something else). Depending on the client, it can be "dialed up" again when there's a need. To see if there's a problem, try, for example, pinging continuously an IP in your Trust zone from the VPN client, and see if the SA will get destroyed while doing that.