@bp81
I solved my own problem, and wanted to record the answer in case others have similar.
First, my initial assessment that the IP address of a Neighbor entry had to match the Router ID that was set on that neighbor's BGP service was wrong. It didn't work for me initially because I had some other things set wrong.
Here's how it's now working:
I setup the IPSEC connection between Hub and Branch 1 as described above. The transit network for this link is 172.16.0.0/30. Hub gets 172.16.0.1, Branch 1 get 172.16.0.2.
The connection between Hub and Branch 2 is similar. The transit network is set to 172.16.0.4/30. Hub gets 172.16.0.5, Branch 2 gets 172.16.0.6.
The router ID for all routers is set to the LAN IP address in BGP, NOT the transit network IP address.
Each Neighbor entry specifies the transit network IP. Ergo, Hub 1 has neigbor entries that specify 172.16.0.2 (Branch 1) and 172.16.0.6 (Branch 2).
The last setting, and this turned out to be the trick that made it work, is in the Neighbor settings in the Next Hop section. Took me a bit to find and identify this as the solution to my 'chicken and the egg' problem in my OP. In the Next Hop action, I set Next Hop Action to "Set (Peer Only)" and I set Peer to "Peer Address (set only)".
This setting is what got things going as expected.
7c08b0b6-27b0-4f6b-9303-d428db2ab2be-image.png
