Source NAT through VPN not working from switched interface

Hi There, 

I'm currently trying to solve an AWS transitive routing issue using a VPN between two SRX devices, coming from a Cisco world, this has been a bit of a learning curve this week - I've made some good progress but have hit a wall and not sure why.

The VPN is up and running between and on-prem SRX 100 and a Vsrx in AWS over our WAN. I can ping between the local/remote networks without issue. I set up source nat on the Vsrx to allow to egress to the internet via the VPN.

If I ping 8.8.8.8 using the L3 interface on the srx100 I can go throught the VPN without issue and can see the NAT working using the show security flow session command.

If I ping 8.8.8.8 from the L2 interface (which my client is connected to on fe-0/0/3.0) which has an IP on the same subnet, no dice. The L3 interface for the subnet is setup and contactable from the client.

I'm hoping I've missed something really stupid, would appreciate some help.

Below is my network diagram and two srx configs, Unfortunately it wont let me attached the configs as files:

On Prem SRX:

## Last commit: 2017-12-01 01:15:40 UTC by root
version 12.1X44-D30.4;
system {
root-authentication {
encrypted-password "$1$Xqnk0iLx$WJ59rffLgV0qWzE8G3Oyg."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings fe-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0;
}
fe-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust2;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.99.10.223/24;
}
}
}
st0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 170 {
family inet {
address 192.168.170.1/24;
}
}
}
}
routing-options {
static {
route 192.168.168.0/24 next-hop st0.0;
route 10.220.1.60/32 next-hop 10.99.10.254;
route 0.0.0.0/0 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$2ygZDiHmTF/qmEyK8dVqmf5Qn/Ct01R6/Ct"; ## SECRET-DATA
}
gateway gw-vir {
ike-policy ike-phase1-policy;
address 10.220.1.60;
external-interface fe-0/0/7.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-vir {
bind-interface st0.0;
ike {
gateway gw-vir;
ipsec-policy ipsec-phase2-policy;
}
}
}
address-book {
book1 {
address ldn 192.168.170.0/24;
attach {
zone trust;
}
}
book2 {
address virginia 192.168.168.0/24;
attach {
zone vpn-vir;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-vir {
policy vpn-tr-vir {
match {
source-address ldn;
destination-address virginia;
application any;
}
then {
permit;
}
}
}
from-zone vpn-vir to-zone trust {
policy vpn-vir-tr {
match {
source-address virginia;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
fe-0/0/7.0;
fe-0/0/3.0;
vlan.170;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
security-zone vpn-vir {
interfaces {
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
}
vlan-trust2 {
vlan-id 170;
l3-interface vlan.170;
}
}

AWS Vsrx:

## Last changed: 2017-12-01 14:14:15 UTC
version 15.1X49-D100.6;
groups {
aws-default {
system {
root-authentication {
blanked out
}
services {
ssh {
no-passwords;
}
netconf {
ssh;
}
web-management {
https {
system-generated-certificate;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.220.2.197/23;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.220.2.1;
}
}
}
}
apply-groups aws-default;
system {
host-name vsrx;
domain-name blank.com
root-authentication {
encrypted-password "$5$y1JinMy8$7EXZ.ly3HqvfUHQx427W.yOg5isev5s39K2x3a6ldb2"; ## SECRET-DATA
}
name-server {
8.8.8.8;
10.99.70.18;
}
services {
web-management {
https {
pki-local-certificate juniper-local;
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 193.150.34.2;
server 138.68.46.177;
}
}
security {
pki {
ca-profile ca-profile1 {
ca-identity ca-profile1;
}
}
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase1-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$f53/CA0Ihrp0-wgJHkp0B1RSrev8xNyrev"; ## SECRET-DATA
}
gateway gw-ldn {
ike-policy ike-phase1-policy;
address 10.99.10.223;
external-interface ge-0/0/1.0;
}
}
ipsec {
proposal ipsec-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec-phase2-proposal;
}
vpn ike-vpn-ldn {
bind-interface st0.0;
ike {
gateway gw-ldn;
ipsec-policy ipsec-phase2-policy;
}
}
}
address-book {
book1 {
address virginia 192.168.168.0/24;
attach {
zone trust;
}
}
book2 {
address ldn 192.168.170.0/24;
attach {
zone vpn-ldn;
}
}
global {
address london 192.168.170.0/24;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set vpn-ldn-untrust {
from zone vpn-ldn;
to zone untrust;
rule ldnvpn-v4 {
match {
source-address-name london;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone orange to-zone orange {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn-ldn {
policy vpn-tr-ldn {
match {
source-address virginia;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
from-zone vpn-ldn to-zone trust {
policy vpn-ldn-tr {
match {
source-address ldn;
destination-address virginia;
application any;
}
then {
permit;
}
}
}
from-zone vpn-ldn to-zone untrust {
policy vpn-ldn-ut {
match {
source-address ldn;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone vpn-ldn {
policy ut-vpn-ldn {
match {
source-address any;
destination-address ldn;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/1.0;
lo0.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0;
}
}
security-zone orange {
tcp-rst;
host-inbound-traffic {
system-services {
https;
}
}
}
security-zone red {
screen untrust-screen;
}
security-zone vpn-ldn {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.220.0.181/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.220.1.60/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.168.1/32;
}
}
}
st0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
}
routing-instances {
icg-1 {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0;
interface st0.0;
routing-options {
static {
route 10.99.0.0/16 next-hop 10.220.1.1;
route 0.0.0.0/0 next-hop 10.220.0.1;
route 192.168.170.0/24 next-hop st0.0;
}
}
}
}

On prem Srx 100