Hello,
It works in my lab with Your config as below (slightly modified for interface names and DH group):
set security ike proposal proposal-1 authentication-method pre-shared-keys
set security ike proposal proposal-1 dh-group group5
set security ike proposal proposal-1 authentication-algorithm sha-256
set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
set security ike proposal proposal-1 lifetime-seconds 86400
set security ike policy policy-1 mode main
set security ike policy policy-1 proposals proposal-1
set security ike policy policy-1 pre-shared-key ascii-text "$9$VtsgJikP36AGD6Ap0hcbs2"
set security ike gateway gateway-1 ike-policy policy-1
set security ike gateway gateway-1 address 80.1.1.2
set security ike gateway gateway-1 no-nat-traversal
set security ike gateway gateway-1 external-interface ge-0/0/0.0
set security ike gateway gateway-1 version v2-only
set security ipsec proposal secproposal-1 protocol esp
set security ipsec proposal secproposal-1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal secproposal-1 encryption-algorithm aes-128-cbc
set security ipsec proposal secproposal-1 lifetime-seconds 3600
set security ipsec policy secpolicy-1 perfect-forward-secrecy keys group5
set security ipsec policy secpolicy-1 proposals secproposal-1
set security ipsec vpn secvpn-1 bind-interface st0.1
set security ipsec vpn secvpn-1 ike gateway gateway-1
set security ipsec vpn secvpn-1 ike ipsec-policy secpolicy-1
set security ipsec vpn secvpn-1 establish-tunnels immediately
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match source-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match destination-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match application any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any then permit
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match source-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match destination-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match application any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any then permit
set security zones security-zone LAN-VRF host-inbound-traffic system-services all
set security zones security-zone LAN-VRF host-inbound-traffic protocols all
set security zones security-zone LAN-VRF interfaces ge-0/0/1.0
set security zones security-zone LAN-VRF interfaces st0.1
set security zones security-zone WAN-VRF host-inbound-traffic system-services ping
set security zones security-zone WAN-VRF host-inbound-traffic system-services ssh
set security zones security-zone WAN-VRF host-inbound-traffic system-services ike
set security zones security-zone WAN-VRF interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.10.1/24
set interfaces st0 unit 1 description "IPsec to SRX2"
set interfaces st0 unit 1 family inet mtu 1436
set routing-instances LAN-VRF instance-type virtual-router
set routing-instances LAN-VRF interface ge-0/0/1.0
set routing-instances LAN-VRF interface st0.1
set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
set routing-instances WAN-VRF instance-type virtual-router
set routing-instances WAN-VRF interface ge-0/0/0.0
set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.2
Verification:
regress@FW1> show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
2724959 UP 79ee962d64f0f88e bdd8d7675bf603d6 IKEv2 80.1.1.2
regress@FW1> show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131074 ESP:aes-cbc-128/sha256 297cfe73 3538/ unlim - root 500 80.1.1.2
>131074 ESP:aes-cbc-128/sha256 260bc29f 3538/ unlim - root 500 80.1.1.2
regress@FW1> show route table WAN-VRF
WAN-VRF.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:25:57
> to 20.1.1.2 via ge-0/0/0.0
20.1.1.0/24 *[Direct/0] 00:28:19
> via ge-0/0/0.0
20.1.1.1/32 *[Local/0] 00:28:19
Local via ge-0/0/0.0
regress@FW1> show route table LAN-VRF
LAN-VRF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 06:37:18
to table WAN-VRF.inet.0
172.16.10.0/24 *[Direct/0] 00:16:32
> via ge-0/0/1.0
172.16.10.1/32 *[Local/0] 00:16:32
Local via ge-0/0/1.0
172.16.30.0/24 *[Static/5] 00:01:45
> via st0.1
Topology:
SRX FW1[ge-0/0/0]-----R1-------R2--------[ge-0/0/0]SRX FW2
Ping from LAN-VRF towards any destination EXCEPT 172.16.30.0/24 does not work, and this is expected because You did not share NAT rules.
Once I add NAT rule as below, ping from LAN-VRF towards 80.1.1.2 works
set security nat source rule-set ifnat from routing-instance LAN-VRF
set security nat source rule-set ifnat to interface ge-0/0/0.0
set security nat source rule-set ifnat rule ifnat-1 match source-address 172.16.10.0/24
set security nat source rule-set ifnat rule ifnat-1 match destination-address 0.0.0.0/0
set security nat source rule-set ifnat rule ifnat-1 then source-nat interface
- BUT - You can see it ONLY in "show security flow sesson" because returning traffic does NOT have a route from WAN-VRF to Your LAN-VRF private IPs and this is actually one of Your requirements:
regress@FW1> ping 80.1.1.1 source 172.16.10.1 routing-instance LAN-VRF
PING 80.1.1.1 (80.1.1.1): 56 data bytes
(no response, but see below)
regress@FW1# run show security flow session source-prefix 172.16.10.1
Session ID: 791, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 172.16.10.1/78 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84, <<<< ICMP ECHO REQUEST
Out: 80.1.1.1/35878 --> 20.1.1.1/19509;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE
Session ID: 792, Policy name: self-traffic-policy/1, Timeout: 2, Valid
In: 172.16.10.1/79 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84, <<<< ICMP ECHO REQUEST
Out: 80.1.1.1/35878 --> 20.1.1.1/12774;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE
Total sessions: 2
HTH
Thx
Alex