This configuration seems to be missing sections that mine has that works.....
Here is my configuration, with the Physical Interface in one VR and the logical in a separate VR. It may point in the right direction for you to resolve your issue:
set security ike proposal ncp-proposal authentication-method pre-shared-keys
set security ike proposal ncp-proposal dh-group x
set security ike proposal ncp-proposal authentication-algorithm x
set security ike proposal ncp-proposal encryption-algorithm x
set security ike proposal ncp-proposal lifetime-seconds 10800
set security ike policy ncp-policy mode aggressive
set security ike policy ncp-policy proposals ncp-proposal
set security ike policy ncp-policy pre-shared-key ascii-text <Key>
set security ike gateway ncp-gateway ike-policy ncp-policy
set security ike gateway ncp-gateway dynamic user-at-hostname "test@ncp.juniper.net"
set security ike gateway ncp-gateway dynamic connections-limit 10
set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id
set security ike gateway ncp-gateway external-interface ge-0/0/1
set security ike gateway ncp-gateway aaa access-profile radius
set security ike gateway ncp-gateway version v1-only
set security ike gateway ncp-gateway tcp-encap-profile NCP
set security ipsec proposal ncp-ipsec-proposal protocol x
set security ipsec proposal ncp-ipsec-proposal authentication-algorithm x
set security ipsec proposal ncp-ipsec-proposal encryption-algorithm x
set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys x
set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal
set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1
set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway
set security ipsec vpn ncp-ipsec-vpn ike idle-time 900
set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0
set security tcp-encap profile NCP
set access profile radius address-assignment pool NCP_POOL
set access address-assignment pool NCP_POOL family inet network 172.16.10.0/24
set access address-assignment pool NCP_POOL family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool NCP_POOL family inet xauth-attributes secondary-dns 8.8.4.4/32
set access profile radius client <User-name> firewall-user password <Password>
set access profile radius address-assignment pool NCP_POOL
From the perspective of policies, I simply have any any any permit as there is no other traffic at this point.
The ge interface is in the VPN-VR and the st0.1 interface is in the customer-VR
set routing-instances Customer-VR interface st0.1
set routing-instances restapivpn interface ge-0/0/1.0
Routing is held in the customer-vr where the st endpoint resides:
set routing-instances Customer-VR routing-options static route 172.16.10.0/24 next-hop st0.1
When you complete a "traceroute" from your laptop to something that exists at the far end of the VPN (not the SRX), what are the results please?