Everything is sent through the IPSec tunnel from the public IP address of your RAP to the public IP address of your controller
Firewall Ports
RAPs connect to the controller on UDP port 4500 for establishing the IPsec connection.
Can you check the datapath session from the outer ip address of the RAP ?
Not sure if you should see the same ports (UDP/4500) coming from the private IP address that the controller provides to the RAPs using the vpn pool