Executing the ./tunnelclient script on the Linux hub and importing the created client certificate on the tunnel client is not enough to establish the SSL tunnel connection.
The resolution came with creating the tunnel connection as follows:
In the setup you are using the local secondary hub as the tunnel client and for the IP of the remote hub it would see is the nat'ed IP.
This means the tunnel server runs on a remote secondary hub with a different local IP and it is translated to another IP at the firewall.
To resolve this run the ./tunnelclient setup on the remote hub, create a tunnel server as normal.
Next, create the tunnel client certificate (this is not the CA), with a wildcard * instead of the IP of the local secondary hub.
On the tunnel client, when you create the client connection, please untick the option "Check Server Common Name" and also set the Server IP to the Nat'ed IP address.