I'm not a big fan of using SLAX to make configuration changes to handle fail-over, so my answer may be a little biased 😉
You're running 11.4 so you can use ip-monitoring for a much cleaner fail-over:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&actp=RSS
Basically this allows you to change a route dynamically (not in your config) based on the state of your RPM Probe.
On the VPN side, there is a number of things you can do. Looking at your configuration, it looks like you've got static IPs at both ends. So you have a couple of options:
1. Create two tunnels from each of your far-side nodes - one to each ISP address on ge-0/0/0 and ge-0/0/1. Then use either a routing protocol or static routes with configured BFD to select a primary tunnel, and fail-over to the backup tunnel. This will require you to configure 6 tunnels on the head-end, so just put all your primarys eith "external-interface ge-0/0/0" and all the secondarys with "external-interface ge-0/0/1".
There is probably a neater way to do this with just two multi-point tunnel interfaces and NHTB, but try the above method first.
2. You could create a single tunnel from each of the far-end nodes, but specify a secondary address for your IKE gateway to connect to. It's been a while since I used this method, but from memory, then tunnel will fail-over to the secondary address when DPD fails. So if your ISP1 on your head-end goes down, DPD should die around 30-40 seconds later, and then the tunnel will re-establish on the secondary gw. Again I think you need to configure two tunnels on the head-end per site, only one of which will be active at any time. Routing can be static and should fail-over when the primary tunnel is torn down. When ISP1 comes back, the tunnel should revert when your default gateway moves and the secondary tunnel fails (again after DPD timeout).
I would also turn off DPD and instead use BFD - the *fastest* BFD can mark a tunnel down is 30 seconds. BFD can do it in less than 1.
Hope this helps