there is no convenient way to do this with cisco as there is no virtual interface for the tunnel (that stays static for any period of time).
only way I can think to do it is have an ICMP test point through tunnel to point on other side that is only accessible through tunnel (i.e. don't do internet facing tunnel peer point).
We use routers to do our IPSEC tunneling and run GRE across. This gives you the virtual interface, though it also is not trustworthy as an indication of tunnel status. We run IPSLA pings across the GRE, sourcing from head end router GRE tunnel IP to remote GRE tunnel IP.
At least, that's where I got and landed a few years ago on this issue.