Hi Vinay,
Thanks for your advice.
I did not mean out of band management on any equipment as I have not configured it any where. it simply was the inside vlan interface of the switch. Say this is 192.168.10.0/24 subnet on the MAS end.
To make it simple, let us just consider a MAS to a single controller link over Internet.
The controller side IP is static public (say 30.40.50.60) and MAS side is dynamic public IP, so yes peer addresses are reachable over the internet, it is only that MAS as tunnel initiator will make a call out to the controller, while controller will simply be responder and has peer address to be 0.0.0.0.
For the controller side the inside private subnet is 172.16.10.0/24. There is a DMZ vlan 1 of 10.1.0.0/24 on the Controller with ip address say 10.1.0.10, that is then mapped thru firewall to 30.40.50.60 for outside world.
For IPsec tunnel, src-net at MAS end is 192.168.10.0 255.255.255.0 and dst-net is 172.16.10.0 255.255.255.0, with peer-ip of 30.40.50.60.
After IPsec tunnel forms, GRE tunnel can form using the private end to end reachability provided by IPsec.
The tunnel source-ip (for L3 GRE) in this case is 192.168.10.1 (the gateway address for the inside hosts at MAS) and tunnel destination-ip is 172.16.10.10 (the ip address of controller inside vlan, also termed as management vlan by me).
If this works, then ospf can be run over this GRE+IPsec tunnel. My confusion is around the tunnel source and destination interfaces requirements, but you clarified that this needs to be the "Interesting traffic" and that should confirm my assumption as well. There is mention in the ArubaOS7.4 book but does not have this clarified anywhere and I would expect some diagram in guides with IP addresses and vlan IDs labeled, but there are none.
Let me know if this sounds correct and if this works, then L2GRE on the L3 MPLS between two controller sites may not be necessary as ospf will do the magic of failover and reachability.
Thanks again,