Excellent writeup. A few very minor issues:
Under the section titled:
Configure the ipsec tunnel: (HUB public ip is xx.xx.225.218)
The 6th line references "esp-transport" but should use "esp-tunnel"
You need to enable ipsec on whichever interface you are using with a line like:
set vpn ipsec ipsec-interfaces interface eth?