Nevermind, I tested and the LOCAL subnet does not have to be hosted on m0n0 - that's good. So now I
wonder if I changed the stub to a different network entirely, and just used a /8 mask on the
10.0.0.0 network if that would accomplish what I need. It seems like m0n0 won't care if the mask is
different. I'll give it a whirl and post back.
I'll sneak in a modest feature request - a clone button for VPN's similar to what is on the FW.
You can't just throw in static routes because traffic to 10.100.100.x
won't be seen as needing to go through the tunnel. You can create a
second IPsec connection between the two m0n0walls for the 10.100.100.x
net and that should work.