You have the st.0 interface in your trust zone, plus a few other errors.

 

I have attached one end of working SRX config.

I have built up Site to Site vpn's before with srx's and replicated the steps used in those configs and have always used the st0.0 interface in the trust-zone. 

 

But I have moved it over to a separate zone now and nothing's changed. I think the problem is probably in the routing table somehow as they can reach the hosts locally or that are directly connected, but not beyond that.

 

However testing the routes does show them to work as they will send the traffic for the remote local network over the st0.0 interface.

 

You point out that there are other errors as well, I've compared the configs to previous ones that work just fine and yours and can't really find huge differences, but I might be reading over them.

 

Could you elaborate or point me in the right direction?

 

Is there a reason you have ip-addresses on your tunnel interfaces? If not, remove them and try again.

Else you could always configure flow traceoptions.

 

Also - unrelated to the issue you're facing, I'd change aggressive mode to main mode, and like john mentioned, put st0's in separate zones, gives a lot cleaner/easier configuration imo.

You mentioned you saw that the devices routed the traffic over the tunnel, so you should be able to see what happens with it after it gets out of the tunnel. If it does send it out the correct interface, does it come back ?

Please change your tunnels to main mode instead of agressive.

 

Then show the output of.

 

show security ike security-associations

 

and 

 

show security ipsec security-associations

 

 

A couple notes:

 

IP addresses on st0 interfaces aren't required for point-to-point vpns, point-to-multipoint need an IP.

 

However, I generally don't use an IP from my vlan subnet on a tunnel.  Pick something like a /30 that is not in the subnet.

 

Router A   -----------------------------------------------------------------------Router B

172.16.0.0/24  192.168.0.1/30  ---st0--- 192.168.0.2/30 -- 172.16.1.0/24

 

Then your routes would point the the opposite side 192 address.

 

As for placing the st0 interfaces in the trust zone, not a problem at all, just can trip up policy sometimes, so generally they are put in a vpn zone or the untrust zone to keep it logical.

 

 

Let me know if any of that helps

 

 Edit:

 

Also, the main or aggressive mode doesn't matter in this case.  If main mode is just an additional security level, but if one peer is dynamic, aggressive is required.

I normally don't use IP's either and as I've said I've reverted back to having the st0.0 without an IP on both devices.

 

I've not switched the mode from aggressive to main as I can do that later and the tunnel is up, that's not the problem.

 

root@vpn01.domain.com> show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
4891439 UP     c1911570ef2b6e61  77239aed0a7c245d  Aggressive     a.b.c.d  

root@vpn01.domain.com> show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:3des/sha1 34dd7097 2497/ unlim   -   root 500   a.b.c.d  
  >131073 ESP:3des/sha1 7ed273e3 2497/ unlim   -   root 500   a.b.c.d 

 This is the interface information of st0.0 now:

root@vpn01.domain.com> show interfaces st0.0 
  Logical interface st0.0 (Index 79) (SNMP ifIndex 532) 
    Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 5566 
    Output packets: 5975
    Security: Zone: vpn
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet
    reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
    Protocol inet, MTU: 9192
      Flags: Sendbcast-pkt-to-re

 Showing the route table:

root@vpn01.domain.com> show route 

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 6d 22:46:36
                    > to 87.233.139.1 via fe-0/0/0.0
87.233.139.0/24    *[Direct/0] 6d 22:46:36
                    > via fe-0/0/0.0
87.233.139.160/32  *[Local/0] 6d 23:28:24
                      Local via fe-0/0/0.0
172.16.0.0/24      *[Static/5] 6d 02:10:37
                    > via st0.0
172.16.0.2/32      *[Static/5] 6d 00:44:09
                    > via st0.0
172.16.1.0/24      *[Direct/0] 5d 22:49:53
                    > via vlan.0
172.16.1.1/32      *[Local/0] 6d 23:28:33
                      Local via vlan.0

 

Pretty sure the route is fine since it sends the traffic over the tunnel.  Also shows the local subnet of 172.16.1.0/24 to be directly connected.. so any traffic for that network coming over the tunnel should reach it right?

Hi

 

Can you initiate some traffic between 172.16.0.x and 172.16.1.y and post
an output of "show security flow session" (for these sessions only,
you can filter by source-prefix and destination-prefix).

 

From this output it will be seen if you get any reply packets. Also
you have nat configured in your original configs, and you are doing
NAT to the interface address. This should not be breaking things, but
in your case you have (or had) different subnets on st0.0 interfaces
on differen sides, which will cause an issue (SRXs don't know
other's st0.0 subnet, to which NAT is made).

 

However I don't know why it is still not working after moving st0 to
other zone because NAT shouldn't be applied now. So please post the
output with sec flow sessions and your new configs also, if possible.