The subnets on each far side of the gateways are in the 10.x.x.x ranges (a few different ones as a couple subnets are connected to the SRX). I saw in some examples that others were using a GRE tunnel over the VPN, so I thought I would get the ipsec going and then once I can ping I would set up a GRE tunnel and route the 10.x.x.x through that level for easier management on both sides. I'm not there yet.
With a multipoint tunnel, the /24 is what seems to be the way to go? Eventually there will be another connection, so the SRX will be a hub in a hub-and-spoke type setup. I thought the multipoint with another address in the 172.16.41.x range for the next spoke would be the way to go. Is that overcomplicating things right now?
The other thing that I've noticed is that the statistics show no decrypted packets and no errors from the incoming pings.
root@fw01> show security ipsec statistics node0: -------------------------------------------------------------------------- ESP Statistics: Encrypted bytes: 51484 Decrypted bytes: 0 Encrypted packets: 329 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
Could that be an indication that the ipsec decryption isn't working when the SRX receives the ESP packets?