The access points (AP) will only tunnel traffic when the client's location is not support on the AP with which they have associated. We use EtherIP (IP protocol 97) to tunnel the layer 2 information needed for remote APs to support a network in which they have no interface. The AP will determine which locations it can support by sending out layer 2 traffic and monitoring the responses. Based on RFC 3378, EtherIP frames should traverse an IPSec tunnel without issue.
By default a role will use the Native AP VLAN for clients associated to that particular role. This means that whatever IP network the AP resides in will also be used to support the wireless clients. However, it is possible to specify a location within a role, which would effectively force all users in that particular role into a defined IP network as well. This would affect all clients who would use this role.
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.