Or, are you sure it's not encapsulated in UDP 4500 because of NAT traversal? Just sniff everything against the remote-gw IP first.

I have found the reason, it was due to acceleration. After disabling the acceleration in the phase1-Interface, I can see now traffic flowing in both directions. 

config vpn ipsec phase1/phase1-interface   edit "vpn_name"     set npu-offload enable/disable   next end

You should be able to see them by just disabling "auto-asic-offload" on the policies without disabling it on the IPsec/phase1. Just don't forget to re-enabling when you're done debugging.

The thing is that I wanted to check the traffic between my FortiGate and AWS gateway, because the BGP session was not comming up. The traffic was between the FortiGate iself, and AWS remote Gateway, so the traffic was not maching any rule as far I know.

We have an IPsec between FGT and AWS for a customer, and running BGP over it. I can sniff BGP (TCP 179) exchanges with offloading enabled. I think it's because it's destined to FGT itself so it has to come out of NPU unlike passing-through traffic, which gets out of the egress interface only through NPU.

Yes, after some time I did realize that the tunnel was working fine (it was a BGP configuration issue) and I was able to sniffer the traffic going through the tunnel. I was just shocked after seeing that everything was working fine when fixed the BGP issue, but I was still unable to see ESP packets coming from the AWS public IP. Somehow the FortiGate just shows the outgoing ESP packets but not the incoming ESP packets when offloading is enabled. 

Anyway, thank you very much for answers and information :)