So I tested this configuratoin between two SRX's and it worked.
I just upgraded to the latest version on both the SRX's and MX-480. Still not working.
I have tried VR to VR as well same results.
so here are my configs.
SRX (inet.0) ge-6/0/14 -----------cable ------------- ge-1/2/3 MX-480 (inet.0) ----- VR-ROUTE-LEAK-TEST
IKE GATEWAY lo0.0 IKE GATEWAY lo0.3
MX-480 - INET.0 (10.10.20.2/30) - connected to the "cloud" distant end SRX (10.10.20.1/30).
MX-480 - INET.0
set interfaces ge-1/2/3 unit 0 family inet address 10.10.20.2/30
Route leak to VR (ROUTE-LEAK-TEST)
set routing-options static rib-group inet.0_to_RLT.inet.0;
set routing-options static route 10.10.20.3/32 next-hop 10.10.20.1
set routing-options static route 10.10.20.10/30 next-table ROUTE-LEAK-TEST.inet.0
Routes received from VR (IKE GATEWAY is lo0.3 10.10.20.9)
show route table inet.0
10.10.20.8/30 *[Static/5] 00:00:33
to table ROUTE-LEAK-TEST.inet.0
****************************************************************************
MX-480 - ROUTE-LEAK-TEST.inet.0 (VR configuration, including VPN)
set interfaces ms-2/0/0 unit 15 family inet
set interfaces ms-2/0/0 unit 15 service-domain inside
set interfaces ms-2/0/0 unit 16 family inet
set interfaces ms-2/0/0 unit 16 service-domain outside
set interfaces lo0 unit 3 family inet address 10.10.20.5/32 (IKE GATEWAY)
set interfaces lo0 unit 3 family inet address 10.10.20.6/32 (BGP, once the tunnel comes up)
****************************************************************************
set services service-set ROUTE-LEAK-TEST next-hop-service inside-service-interface ms-2/0/0.15
set services service-set ROUTE-LEAK-TEST next-hop-service outside-service-interface ms-2/0/0.16
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway 10.10.20.9
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway routing-instance ROUTE-LEAK-TEST
set services service-set ROUTE-LEAK-TEST ipsec-vpn-rules ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from source-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from destination-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then remote-gateway 10.10.20.3
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ike-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ipsec-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST match-direction input
set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256
set services ipsec-vpn ike policy ROUTE-LEAK-TEST mode main
set services ipsec-vpn ike policy ROUTE-LEAK-TEST version 1
set services ipsec-vpn ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set services ipsec-vpn ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text
set routing-options rib-groups inet.0_to_RLT.inet.0 import-rib ROUTE-LEAK-TEST.inet.0
set routing-options rib-groups RLT.inet.0_to_inet.0 import-rib ROUTE-LEAK-TEST.inet.0
set routing-instances ROUTE-LEAK-TEST instance-type virtual-router
set routing-instances ROUTE-LEAK-TEST interface xe-1/0/0.660
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.15
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.16
set routing-instances ROUTE-LEAK-TEST interface lo0.3
set routing-instances ROUTE-LEAK-TEST routing-options interface-routes rib-group inet RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static rib-group RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static route 10.10.20.4/32 next-hop ms-2/0/0.15
show route table ROUTE-LEAK-TEST.inet.0
ROUTE-LEAK-TEST.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.20.3/32 *[Static/5] 00:15:50
> to 10.10.20.1 via ge-1/2/3.0 (ROUTE FROM INET.0)
ping routing-instance ROUTE-LEAK-TEST 10.10.20.3 source 10.10.20.9
PING 10.10.20.3 (10.10.20.3): 56 data bytes
64 bytes from 10.10.20.3: icmp_seq=0 ttl=64 time=0.867 ms
64 bytes from 10.10.20.3: icmp_seq=1 ttl=64 time=2.421 ms
64 bytes from 10.10.20.3: icmp_seq=2 ttl=64 time=0.865 ms
****************************************************************************
SRX
set interfaces ge-6/0/14 unit 0 family inet address 10.10.20.2/30
set security ike policy ROUTE-LEAK-TEST mode main
set security ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set security ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text
set security ike gateway ROUTE-LEAK-TEST ike-policy ROUTE-LEAK-TEST
set security ike gateway ROUTE-LEAK-TEST address 10.10.20.3
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection interval 10
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection threshold 2
set security ike gateway ROUTE-LEAK-TEST external-interface lo0.6
set security ike gateway ROUTE-LEAK-TEST local-address 10.10.20.9
set security ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set security ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256
set security ipsec vpn ROUTE-LEAK-TEST bind-interface st0.5
set security ipsec vpn ROUTE-LEAK-TEST ike gateway ROUTE-LEAK-TEST
set security ipsec vpn ROUTE-LEAK-TEST ike ipsec-policy ROUTE-LEAK-TEST
set routing-options static route 10.10.20.8/30 next-hop 10.10.20.2
ping 10.10.20.9 source 10.10.20.3
PING 10.10.20.9 (10.10.20.9): 56 data bytes
64 bytes from 10.10.20.9: icmp_seq=0 ttl=64 time=1.010 ms
64 bytes from 10.10.20.9: icmp_seq=1 ttl=64 time=1.428 ms
64 bytes from 10.10.20.9: icmp_seq=2 ttl=64 time=0.921 ms
^C
--- 10.10.20.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.921/1.120/1.428/0.221 ms