Hi
Probarbly, what you've heard was: tunnel interface ip addresses should be in the same subnet.
For example, st0.0 on one side has 10.0.0.1/24 and st0.0 on the other side has 10.0.0.2/24
In this case route to 10.0.0.0/24 will be added to routing table automatically, pointing
to the tunnel, and the ip of the other tunnel interface will be available (for pings, etc.)
without any additional config. Note that st0.0 can be even unnumbered: just configure
family inet, with no address. It will work.
But protected subnets behind different firewalls should be in different ip subnets - firewall72
is right, this is the best design.