Suppose you have the following networks:
site1: 10.1.1.0/24
site2: 10.2.2.0/24
main : 10.0.0.0/24
then on the site1 router (or firewall) your crypto acl will look like this:
permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
on the site2 router:
permit ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
On the main router, use the mirror of the above acl's.
If you need more help, please post your current config for the 3 routers (assuming you are using IOS routers, if using Pix/Asa the concept is the same but you'll typically also need to adapt NAT exemption).
hth
Herbert