Here's the configuration I have used. I don't think I have missed anything:
1: NCP Secure Client Configuration:
set security ike proposal ncp-proposal authentication-method pre-shared-keys
set security ike proposal ncp-proposal dh-group group2
set security ike proposal ncp-proposal authentication-algorithm sha1
set security ike proposal ncp-proposal encryption-algorithm aes-192-cbc
set security ike proposal ncp-proposal lifetime-seconds 10800
set security ike policy ncp-policy mode aggressive
set security ike policy ncp-policy proposals ncp-proposal
set security ike policy ncp-policy pre-shared-key ascii-text
set security ike gateway ncp-gateway ike-policy ncp-policy
set security ike gateway ncp-gateway dynamic user-at-hostname "test@ncp.juniper.net"
set security ike gateway ncp-gateway dynamic connections-limit 10
set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id
set security ike gateway ncp-gateway external-interface ge-0/0/1
set security ike gateway ncp-gateway aaa access-profile radius
set security ike gateway ncp-gateway version v1-only
set security ike gateway ncp-gateway tcp-encap-profile NCP
set security ipsec proposal ncp-ipsec-proposal protocol esp
set security ipsec proposal ncp-ipsec-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ncp-ipsec-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600
set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys group2
set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal
set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1
set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway
set security ipsec vpn ncp-ipsec-vpn ike idle-time 900
set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0
set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0
2: Address book entry for VPN-Pool:
set security address-book global address ncp-vpn-pool 172.16.10.0/24
3: Security Policies required between the zones (as I am using Logical tunnels I only ever need the policies from and to the same zone, not between the zones):
set security policies from-zone Customer-Network to-zone Customer-Network policy customertocustomer match source-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy customertocustomer match destination-address any
set security policies from-zone Customer-Network to-zone Customer-Network policy customertocustomer match application any
set security policies from-zone Customer-Network to-zone Customer-Network policy customertocustomer then permit
set security policies from-zone Customer-Network to-zone Customer-Network policy customertocustomer then log session-init
set security policies from-zone restapivpn to-zone restapivpn policy restapi1 match source-address any
set security policies from-zone restapivpn to-zone restapivpn policy restapi1 match destination-address any
set security policies from-zone restapivpn to-zone restapivpn policy restapi1 match application any
set security policies from-zone restapivpn to-zone restapivpn policy restapi1 then permit
4: Security Zones Configuration:
set security zones security-zone Customer-Network interfaces st0.1
set security zones security-zone restapivpn interfaces ge-0/0/1.0
5: Routing Instance configuration (snippet for VPN only):
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface st0.1
set routing-instances Customer-VR routing-options static route 172.16.10.0/24 next-hop st0.1
set routing-instances restapivpn instance-type virtual-router
set routing-instances restapivpn interface ge-0/0/1.0
As you can see, the physical interface is one VR and the Logical st interface is in another VR. But to make it work, I still had to have a policy between the two and I have NO traffic other than the VPN traversing the two. I just wanted to make the VPN more secure and have the data exit point in the right VR.
Hope this helps