We have 3 juniper SRX-100 firewalls, they are configured like so:

FW1 -> FW2 -> INTERNET -> FW3

We would like to create an IPSEC tunnel between FW3 and FW1 passing through FW2 preferably using NAT-T. Is this possible?

FW1 and FW2 have some strict access rules only allowing 1 port connected (it's a DMZ with a server in) so we can't just create a route based vpn between FW1 and FW2 to forward the traffic (otherwise all traffic will be forwarded)

We know the tunnel is fine because we have managed to test it between FW1 and FW3 (without FW2 in the middle) so we know that the issue is to do with the 'passthrough' on FW2.

Essentially, the question is - What options do we need to select on FW2 to enable it to pass through the IPSEC traffic straight to FW1?

Many thanks in advance