Hi,
I didn't add a static route manually, but because of the interface address being /24, it appears as though there is a route out st0.0:
root@fw01> show route
...
0.0.0.0/0 *[Static/5] 32w6d 23:52:37> to a.b.c.x via reth0.0
172.16.41.0/24 *[Direct/0] 02:03:15> via st0.0
172.16.41.1/32 *[Local/0] 1w2d 00:32:06
Local via st0.0I didn't show pings from the SRX to Linux, but "ping 172.16.41.51" from the SRX does show the right encrypted traffic:
11:28:37.241479 IP a.b.c.d.4500 > e.f.g.h.4500: UDP-encap: ESP(spi=0x04ae67bc,seq=0xc), length 136
(and decrypted that is a ping from 172.16.41.1 to 172.16.41.51)
So the SRX seems to know how route traffic out the VPN link too, but not accept anything incoming.
Thanks for the reminder about the security policy. I was trying to get the basics going first and then I will have to add policies for internal traffic on each side.