Secret selector's are used to assign secret by specified selector to tunnel, you can always use %any or 0.0.0.0 (if you left it empty, it will use %any anyway), or assign specific IP addresses, FQDN's to select secret according to IPsec tunnel attributes like local ID, remote ID and remote IP address. So in your case it would be best to use Public HUB IP address in spokes as selectors and 0.0.0.0 and %any in HUB.
So the keep alive's are enabled by default, to check if the link between two points is not broken, it's not an error, just a feature.