Each edge controller should have its own IPSEC tunnel to the core controller VRRP address. In the event of a core controller failure, VRRP should handle the failover to the other controller and the tunnels should be rebuilt.
If an edge controller fails, either VRRP or HA fast failover can handle the APs failing over to the other edge controller and the Guest traffic can utilise the IPSEC tunnel for this controller.
Does this make sense or am I missing something obvious?
I have done the above set-up for a customer using GRE tunnels over IPSEC and it worked without issue.