How to expose IPsec/IPIP tunnel IP to Linux when using VPP (StrongSwan + VPP IPsec)

[hilamithai]

I’m working on an integration of VPP as the dataplane with Linux (FRR + applications) as the control plane, using StrongSwan with the VPP IPsec plugin.

My current setup is roughly:
Linux:
Runs StrongSwan (IKE, SA management)
Runs FRR / applications

VPP:
Handles IPsec dataplane
Uses ipip tunnels (route-based IPsec)

Linux ↔ VPP connectivity:
Via TAP interface (Linux gateway to VPP)
This architecture works correctly for forwarding traffic, but I have a design question regarding address visibility.

The problem
The IP address assigned to the IPIP/IPsec tunnel interface in VPP (e.g. 60.60.60.2/24) exists only inside VPP.
Linux (and FRR) does not see this tunnel interface or its IP, so in order to:
ping the remote peer from Linux
run routing protocols (BGP/OSPF) in FRR
allow applications to bind/use the tunnel IP
I currently route traffic via a Linux↔VPP TAP gateway with internal link-local addresses (e.g. 169.254.x.x/30).
This works, but Linux never “owns” or sees the actual tunnel IP.

Question
Is there a supported or recommended way to make the IPsec/IPIP tunnel IP visible to Linux, for example:

Exposing the tunnel IP to Linux via:
linux-cp / LCP plugin
TUN interface
Any VPP-to-Linux mirroring mechanism

Specifically:
Is it possible (or intentionally unsupported) to mirror an ipipX interface from VPP to Linux?
Is the TAP-gateway + routing approach considered the correct design, with Linux never seeing the tunnel IP directly?
Are there reference architectures or examples where Linux applications can bind to or ping using the tunnel IP when VPP handles IPsec?