ipsec VPN is up, but not passing data

Hello!

ipsec VPN is up, but not passing data KB 10093 but no luck.

Ipsec SA listed on both devices:

no:

run show security ipsec security-associations 
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   <131073 ESP:3des/sha1 4b8ee27d 3527/ unlim   U   root 500   217.12.253.226  >131073 ESP:3des/sha1 9973f3e1 3527/ unlim   U   root 500   217.12.253.226

tco:

show security ipsec security-associations   Total active tunnels: 3  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway         <131074 ESP:3des/sha1 2f9a9ed  3587/ unlim   U   root 500   83.234.107.110    >131074 ESP:3des/sha1 26c5a0c0 3587/ unlim   U   root 500   83.234.107.110

Routes confgured:

no:

show route 172.17.20.28                                                             

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.17.20.0/24     *[Static/5] 00:01:44
                    > via st0.0

tco: 

show route 192.168.18.33                                                                  

inet.0: 100 destinations, 101 routes (100 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.18.0/24    *[Static/5] 00:00:31
                    > via st0.1

rt-cifra1-all.inet.0: 21 destinations, 22 routes (21 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/100] 3w3d 04:39:54
                    > to 213.167.60.117 via fe-0/0/1.0

Tunnel interfaces are in "trust" zone and traffic permitted on both devices

no:

LAN {
    address TCO-admin-net 172.17.20.0/24;
    address NO-LAN 192.168.18.0/24;
    address PBX 172.17.22.0/24;
    address-set LAN-set {
        address TCO-admin-net;
        address PBX;
    }
    attach {
        zone trust;
    }
}

and policy:

show security policies from-zone trust to-zone trust 
policy from-NO {
    match {
        source-address NO-LAN;
        destination-address LAN-set;
        application any;
    }
    then {
        permit;
    }
}
policy to-NO {
    match {
        source-address LAN-set;
        destination-address NO-LAN;
        application any;
    }
    then {
        permit;
    }
}

tco device is pretty the same, but has firewall rule for policy based routing

filter FILTER1 {
    term pod-allow {
        from {
            destination-address {
                192.168.0.0/16;
            }
        }
        then accept;
    }
    term mgmt-allow {
        from {
            destination-address {
                172.16.0.0/12;
            }
        }
        then accept;
    }
    term TERM-test {
        from {
            source-address {
                172.17.20.28/32;
            }
        }                               
        then {                          
            routing-instance rt-cifra1-test;
        }                               
    }                                   
    term default {                      
        then {                          
            routing-instance rt-cifra1-all;
        }                               
    }                                   
}

But it shouldn't affect vpn traffic.

I am stuck