If you use vpn site at site and no advpn, you must configure the policies on the HQ site to allow flows on the VPN interfaces
And then check the routing tables on each site to indicate the addresses of the remote sites.
1) Put all the sites into a zone and allow intra-zone traffic
2) Make policies from site 1-2, site 2-3, site 1-3, etc.
The method you choose depends on how granular you wish to be. If you need filtering between different devices, then the second would be your option. If you trust everything and just want then to work, then the first option.