The policy is allow any any any and st0, gr and lo are in the same zone


ospf {
    area 0.0.0.0 {
        interface gr-0/0/0.0;
        interface lo0.0 {
            passive;
        }
    }
}
static {
    route 0.0.0.0/0 next-hop x.x.x.x;
    route 4.4.4.4/32 next-hop st0.0;
    route 172.16.1.0/24 next-hop gr-0/0/0.0;
    route 172.22.98.6/32 next-hop 172.22.100.1;
}

ge-0/0/0 {
    unit 0 {
        family inet {
            address x.x.x.x/24 {
                primary;
            }
            address 172.22.100.37/24;
        }
    }
}
gr-0/0/0 {
    unit 0 {
        tunnel {
            source 3.3.3.3;
            destination 4.4.4.4;
        }
        family inet {
            address 172.16.5.1/24;
        }
    }
}

lo0 {
    unit 0 {
        family inet {
            address 3.3.3.3/32;
        }
    }
}
st0 {
    unit 0 {
        family inet;
    }
}

proposal SSG_IPSEC {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
}

policy ipsec-SSG-policy {
    proposals SSG_IPSEC;
}

vpn VPN-SSG {
    bind-interface st0.0;
    ike {
        gateway GATEWAY-SSG;
        ipsec-policy ipsec-SSG-policy;
    }
    establish-tunnels on-traffic;
}
proposal IKE-SSG {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
}

policy IKE-SSG-POLICY {
    mode main;
    proposals IKE-SSG;
    pre-shared-key ascii-text "$9$.Pz69CuBEyCAvWx7Vb"; ## SECRET-DATA
}

gateway GATEWAY-SSG {
    ike-policy IKE-SSG-POLICY;
    address x.x.x.x;
    external-interface ge-0/0/0;
}