i think that it's not documented.. at least the doc says that a VPN
circuit between a 3d party VPN device and a BM38 server is always with
the master and the possibility to do it with slaves is not explicit

so i did it to see, and it's working... for the moment.. i would be
interested to know if that's working as designed... or by chance..

first i built the following 3dparty configuration some monthes ago using
pre-shared key and a Zywall 100 (a zyxel box)... all BM Servers are 3.8
with at least SP2

BM1_master protects /24 /24 in fact behind BM2_slave /24 in fact behind BM3_slave

3d_slave protects /24

with the routing table in BM2 and BM3 pointing on the tunnel address of
BM1 to reach the 3d_slave network, it was working but all the trafic was
sent to the master

Now i've changed the 3dparty config and directly told to the Zywall that
the remote peer ID for the same protected networks was the public ip
address of the BM2 and BM3 slaves

In the routing table of BM2 and BM3 i just write to send all the trafic
for through the (very virtual) tunnel address of the
3d_slave and it's also working

the Pre-shared key has been computed and the circuits are up

so it seems that the 3dparty attributes are also pushed on all the
slaves and that they're able to use them to build a circuit when there
is a call from the 3dparty device

i'm not yet sure that the circuits can be mounted if the call comes from
the BM2 or BM3 network but at this stage it's a detail

and i didn't test yet a full restart of all the systems but i don't see
any reason for the config being broken now

am i lucky or was it really built to work ?