Well it seems I'm stuck with IPSec so will have to figure it out.
That was clear, what is still not clear is how much of the IPsec setup has already been cast in concrete and how much of it you can set up as you want.
So if I'm understanding you correctly, I can specify multiple Policies for the same Peer in order to indicate multiple IP's/ranges, correct?
Almost - not multiple subnets but multiple combinations of local and remote subnet. So if you have subnets A and B on the local end and subnets 1,2,3 on the remote end, you need individual policies for A1, A2, A3, B1, B2, B3 combinations.
Is there a way they could "masquerade" the link to gain access to anything beyond what I specify under Policies?
You can normally use masquerade/srcnat at the application client side, but it is much more complicated at application server side (you need port forwarding in such case). The traffic selection is done after all the firewall processing, including src-nat, has been done. So if you src-nat the whole client site to a single address, you can only use as many policies as you have subnets on the server site (application-wise client may not be the IPsec-wise initiator).
I see IPSec does not create an "interface" so it makes it tricky (in my mind at least) to try and button things up via the firewall.
From the firewall point of view, you just have to refer to IP addresses and not to interface names. Other implications of not having a virtual interface are much worse