We tried running this setup with Instant-VPN instead but we get the same type of behaviour. We can get DHCP address locally on the IAP (from port 1 to port 2 for example) but as soon as the DHCP offer needs to traverse the tunnel to the controller it doesn´t work.
We tried Aruba IPSEC and also GRE with the same type of error. I´m not sure why it blocks DHCP over a GRE tunnel, I´m almost sure that I´ve made for example guest networks that recieve their DHCP from the other end of a GRE tunnel from the controllers perspective. So perhaps the limitation is on the AP side that a DHCP offer is never passed over a tunnel?
Anyway, this setup seems to be doomed. :(
Cheers,