Just writing it up before I apply tonight. Unit1 and Unit2 already have the trust-vr routes exported into trust2-vr and I've verified I see them on the remote firewalls routing tables.
Unit1 - 192.168.15.0
set vrouter trust2-vr
set access-list 2
set access-list 2 permit 192.168.12.0/24 10
set access-list 2 permit 192.168.16.0/24 15
set route-map name from_ospf permit 10
set match ip 2
exit
set export-to vrouter trust-vr route-map from_ospf protocol ospf
exit
set address Trust 192.168.12.0/24 192.168.12.0 255.255.255.0
set address Trust 192.168.16.0/24 192.168.16.0 255.255.255.0
set group address "Trust" "Remote_Offices"
set group address "Trust" "Remote_Offices" add 192.168.12.0/24
set group address "Trust" "Remote_Offices" add 192.168.12.0/24
set policy id 8 from "Lightpath" to "Trust" "Any" "Remote_Offices" "ANY" permit
set policy id 8
set policy id 9 from "Trust" to "Lightpath" "Remote_Offices" "Any" "ANY" permit
set policy id 9
Unit2 - 192.168.12.0
set vrouter trust2-vr
set access-list 2
set access-list 2 permit 192.168.15.0/24 10
set access-list 2 permit 192.168.16.0/24 15
set route-map name from_ospf permit 10
set match ip 2
exit
set export-to vrouter trust-vr route-map from_ospf protocol ospf
exit
set address Trust 192.168.15.0/24 192.168.15.0 255.255.255.0
set address Trust 192.168.16.0/24 192.168.16.0 255.255.255.0
set group address "Trust" "Remote_Offices"
set group address "Trust" "Remote_Offices" add 192.168.15.0/24
set group address "Trust" "Remote_Offices" add 192.168.16.0/24
set policy id 8 from "Lightpath" to "Trust" "Any" "Remote_Offices" "ANY" permit
set policy id 8
set policy id 9 from "Trust" to "Lightpath" "Remote_Offices" "Any" "ANY" permit
set policy id 9
Unit3 - 192.168.16.0/24
set vrouter "trust-vr"
set access-list 1
set access-list 1 permit ip 192.168.16.0/24 1
set route-map name "to_trust2-vr" permit 1
set match ip 1
exit
set export-to vrouter "trust2-vr" route-map "to_trust2-vr" protocol connected
exit
set vrouter "trust2-vr"
set access-list 1
set access-list 1 permit ip 192.168.16.0/24 1
set route-map name "to_ospf" permit 1
set match ip 1
exit
set protocol ospf
set redistribute route-map "to_ospf" protocol imported
exit
exit
set vrouter trust2-vr
set access-list 2
set access-list 2 permit 192.168.12.0/24 10
set access-list 2 permit 192.168.15.0/24 15
set route-map name from_ospf permit 10
set match ip 2
exit
set export-to vrouter trust-vr route-map from_ospf protocol ospf
exit
set address Trust 192.168.12.0/24 192.168.12.0 255.255.255.0
set address Trust 192.168.15.0/24 192.168.15.0 255.255.255.0
set group address "Trust" "Remote_Offices"
set group address "Trust" "Remote_Offices" add 192.168.12.0/24
set group address "Trust" "Remote_Offices" add 192.168.15.0/24
set policy id 8 from "Lightpath" to "Trust" "Any" "Remote_Offices" "ANY" permit
set policy id 8
set policy id 9 from "Trust" to "Lightpath" "Remote_Offices" "Any" "ANY" permit
set policy id 9
Does that look right? I'll have to modify the policy numbers based on the site, but the general idea.