Actually, use show security ipsec next-hop-tunnels first to see next-hop mappings really are missing ...
Here's a nice write-up that I think matches your use case -- https://junosnotes.blogspot.com/2014/01/srx-vpn-multipoint.html
------------------------------
Nikolay Semov
------------------------------
Original Message:
Sent: 06-03-2025 10:02
From: Nikolay Semov
Subject: FW-SITE1 can't ping FW-SITE2 (Hub-and-Spoke VPN LAB Setup)
You can run show security packet-drop records on the HUB to see what happens with the traffic.
Since st0.0 is multipoint on the HUB with two VPNs bound to it, you'll need to specify which IPsec tunnel corresponds to which next hop:
- set interfaces st0 unit 0 family inet next-hop-tunnel 10.25.0.1 ipsec-tunnel To-FW_SW1
- set interfaces st0 unit 0 family inet next-hop-tunnel 10.25.0.2 ipsec-tunnel To-FW_SW2
------------------------------
Nikolay Semov
Original Message:
Sent: 06-03-2025 02:29
From: Gerald
Subject: FW-SITE1 can't ping FW-SITE2 (Hub-and-Spoke VPN LAB Setup)
Hello Everyone,
I am replicating the lab on hub-and-spoke VPNs. I think the VPN is okay based on the ike/ipsec security associations. My problem is site1 server can't ping site2 server. Attached is the configuration on each SRX. Need your help.
Topology:
show security ike security-associations
show security ipsec security-associations
Thanks, in advanced.
------------------------------
Gerald
------------------------------