Thanks for your advice. We believe that it is working now with some minor changes to the pfSense end.
We have gone back to basics on IPSec.
Since the Security Associations (SA) were being established between the two sites, but traffic was flowing OUTOF the pfSense (to somewhere) but not flowing INTO the pfSense from the second site (from y.y.y.y); and no traffic was being received at the second site. We assumed that there must be some device in the way that was blocking the data traffic.
Since the data traffic is handled on ESP Protocol, something must be blocking that.
Changing the router configuration, so instead of using open ports (UDP 500) for NAT, we tested by using a DMZ/address map. As soon as this was changed, data started to flow and SSH connections could be made.
We also made it more robust by adding a gateway definition for the LAN interface and Firewall rules to pfSense to run LAN 172.20.0.0/16 via the LAN GW. Belt and braces really (plus enables better fault finding).
During this process we ruled out red herrings such as:
IPV6 redirection issues
Routing table issues on the SSG140's
Firewall policies on the SSG140's
Scrub
This experience leads me to favour pfSense over packaged Juniper products (e.g. SSG140):
Better overall fault diagnosis than Juniper
Better tracing of traffic
Better tuning of configuration parameters
Better log information
