Hey,
I’ve got and up/up tunnel between an SRX and a 3rd party fw.
I can ping RFC1918 on his end, but anything he sends to me fails.
Do I need another security policy from untrust to trust to allow traffic, or perhaps in the security zone itself?
Any quick thoughts I could check?
If you can ping his side of things, then your security policies for data going from you to them sound good. But you also need a security policy to allow traffic generated from their side of the link to hit your systems on your side. So for example, traffic from you should go for example, Trust zone to VPN zone. If you want traffic to hit your servers from their side you would need a rule for VPN zone to Trust zone as well. Don’t forget to set any static or dynamic routing needed to push traffic back over the VPN tunnel.
Just going to echo the other post. Trust to VPN and VPN to trust either side is a required policy. And allowing Ike over your untrust link. You don’t want untrust to trust policies because then you’re not using that tunnel you made 
Forgot to say it’s a policy based VPN, so aren’t the security policies configured by the “then permit tunnel”?
I forgot I put the destination in its own instance. As soon as I leaked the route, everything worked as intended lol.
Please don’t use policy-based VPNs. Route-based can do everything these days.
If I had control of both ends, I would 
It doesn’t matter. The SRX neither knows nor cares whether the remote end is using a route-based or policy-based configuration. This is a very common misconception.
See that’s what I thought. We couldn’t get the tunnel up using routed.
This is correct. You can use traffic selectors to build route-based policies to use the same tunnel interface.
I wrote a blog about it a while back here
Did you set your proxy IDs to match?
Nope, I bet that’s what it was.
My only experience is Routed to Routed , where i’ve never set it up before so they were the default generated which probably didn’t match the other end.