Hi,
If I need an "alternative" VPN GW on a SSG that is already configured for IPSec I solve the problem this way:
Let's assume that VPN is terminated on the interface in Untrust zone and the last is mapped to the trust-vr.
a) create a loopback interface in Untrust zone
b) allow the subnet conflict for interfaces in trust-vr: set vrouter trust-vr ignore-subnet-conflict .
c) assign a free public IP to the loopback interface as x.x.x.x/32
d) create an arp-proxy entry on Untrust interface to make the loopback interface arp-responsive:
set interface ethernetx/y proxy-arp-entry x.x.x.x x.x.x.x
You can also route this IP on the CPE router towards the FW, but a proxy-arp entry is better.
e) configure an Untrust-to-Untrust policy that enables IKE (UDP500) from the remote GW to x.x.x.x/32
Now you can configure an IPSec VPN as usually, using the loopback interface as a VPN GW.
Hopefully all these commands are supported in 5.4.
I have tested this configuration with the route based VPN only as I never use the policy based VPN.