Hello,
Speaking of experience :
1/ the SRX behind NAT _MUST_ have "establish-tunnels immediately" configured.
2/ the SRX with public IP should NOT have "establish-tunnels immediately" configured, because
2a/ it makes no sense to poke udp/500 on remote end behind NAT, on SRX port 500 won't be translated into by default
2b/ "establish-tunnels immediately" seems to be broken with JUNOS 12.1X47-D15 - I got no tunnels up when both ends have "establish-tunnels immediately" and one end with public IP has JUNOS 12.1X47-D15.
Once I got it configured as above, IPSec VPN works fine.
HTH
Thx
Alex