So the master/local ipsec tunnels only establish connectivity between the two controllers specifically
If you want to have more clients pass traffic over those tunnels, you have to do that via "ip route x.x.x.x y.y.y.y ipsec map" on both sides to allow them to pass traffic. In other words, write routes on each side pointing to that IPSEC map for each subnet you want to advertise reachability to.