Where can I specify the IPSec proposal and profile used for a IPIP/IPsec tunnel?
It uses the “default” proposal and profile without any apparent way to change it.
Instead of specifying an IPsec secret in the IPIP interface create IPsec proposals, policies, peers & identities as required, when the IPIP encapsulated traffic matches the policy it will have IPsec applied as specified.
So it is not possible if the peer is on dynamic IP?
So it is not possible if the peer is on dynamic IP?
Yes,
You can look at the ipsec setup created when you add ipsec to the ipip tunnel and make something similar.
But I think ipip requires a fixed address at each end anyway.
You could possibly use an ikev2 tunnel, (where the client can get a fixed tunnel address)
and run your ipip tunnel over that.
Or perhaps run the ipip over a wireguard tunnel.
Even better with luck might be able to just use a wireguard tunnel, without ipip.