Use of 3rd party firewall

In terms routing via private IP, you'll need to make sure a couple things are in place:

• A Linode-assigned private IP address on each node (guide: Adding Private IP Addresses)
• If you're looking for a direct connection via private IP (which it sounds like you are), the servers will need to be in the same data center first so that they can utilize the Linode Private Network. You can migrate any servers from data center to data center using the instructions in this guide: How to Initiate a Cross Data Center Migration for your Linode

In order for the firewall server to accept connections from other servers, the IPs of those servers will need to be manually whitelisted on a case-by-case basis. It's important to note that the private IP assigned to the firewall server itself is not reachable from outside the Linode private network. That said, for Linodes within the same data center as that server, they will be able to connect via the Linode private network so long as the firewall is accepting those specific connections.

While I know you mentioned using a third-party firewall, there's another really good Community site post that reviews how to set up this scenario using iptables rules. The application may be different, but the same concept applies here:

Setup private networking between 2 Linodes

Otherwise, are you able to specify which firewall application you've installed?

There are a couple ways to acheive IPsec protocol-based communication between servers, and I found some resources that might point you in the right direction:

• You can use a client such as strongSwan that utilizes key authentication
• This Github post has some nice step-by-step instructions on how to set up VPN clients via the command line: Configure IPsec/L2TP VPN Clients
• I'm not sure what distro you're using, but this tutorial on installing Openswan (not to be confused with strongSwan) and implementing a VPN on CentOS is really good: How To Install Openswan And Create Site-to-Site VPN On CentOS 7
• You can also create an authentication key pair using racoon to acheive a secure connection with IPsec. I was able to find some pretty great instructions on acheiving this from this IBM IPsec tutorial

I know this is a lot to get through, but I hope it gives you a good starting point to work with. If I misunderstood any part of your question, please let me know. Additionally, following some of the suggestions in this post may help the Community better understand your situation as well. :)