Hello ,
As per the output is shared , the traffic from SRx end is going into the tunnel , thats why it shows the encrypt packet getting incremented . Also the session details shows that same .
But we are not getting any decrypt packet on SRX which shows that we are not getting reverse packet from the peer Zyxel .
Now there are 2 possibilitied for this :
1) The peer device is not getting our VPN packet : In this case you need to check if the peer device if you are getting or not . If its confirmed that the peer device is not getting the VPN packet , it could be the ISP dropping the packet .
2) The peer device gets the VPN traffic from SRX , but dropping the reverse packet : In this case you will see the decrypt packet counter increamenting on peer end but no encrypt packet . So you need to look into the peer device to see why its dropping the reverse packet .
Now one more thing you need to keep in mind is that in SRX policy based VPN does not support NAT from VPN traffic , so you need to always keep NAT off for VPN traffic . If you need to use NAT for VPN , you may need to switch the setup to "route based VPN " .