Source NAT was being applied to all traffic (both Internet and VPN Tunnel), so it was affecting the VPN tunnel traffic.  Customer requirement was to only apply source NAT to Internet traffic.

Customer wants to only NAT the traffic destined for the Internet, and they do not want to NAT traffic through the VPN tunnel.

Source NAT was configured for Internet access, and the VPN traffic initiated from the network for which source NAT is configured was NAT'ed too.  This was causing the traffic to not pass thru the tunnel. In the latest version of JUNOS NAT, policy lookup is done separately.  (In ScreenOS, NAT is linked with the policy, i.e. we have to enable source NAT in the policy.)

In many cases, customers create a source NAT rule with the source as 0.0.0.0/0 and destination as 0.0.0.0/0.

Note:  In order to tell if the traffic is being NAT'd, use the flow traceoption for basic-datapath. If interface NAT has been configured, then you will see the private IP getting translated to the interface public IP address and dip id will be 0/2. When NAT is not occurring, the id will be 0/0.

For VPN traffic, a rule needed to be created for disabling/not doing NAT. This rule has to be placed on top. The rule will be as shown below:

[edit security nat]
root@DEV-FW1# show
source {
rule-set test {
from zone trust;
to zone untrust;
rule vpn-no-nat {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
}
then {
source-nat {
off;
}
}
}
rule out-nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/32;
}
then {
source-nat {
interface;
}
}
}
}
}

{disabled:node0}[edit security nat]
root@DEV-FW1#

In the above example, "vpn-no-nat" is the rule for disabling nat for VPN traffic, and other rule is to NAT traffic going to Internet or any other destination.

IMPORTANT:  Even after creating the above rule, if traffic does not flow through the tunnel, then deactivate all the rules.  Make sure to commit, and then activate the rules and commit again.
 

2020-10-28: Removed EOL/EOS product.