There are a few things you need to do here.
Main ASA
1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
Remote ASA's
1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip