Mikrotik

How to find out through which interface ipsec traffic passed after it was de-encapsulated to implement qos in mikrotik?

There are two mikrotik routers, each of them has two wan interfaces, each wan interface is connected to its own provider and has its own speed limit.
An ipSec tunnel is configured between mirtoik (in tunnel mode) without being tied to a specific interface (i.e. ipSec will encrypt traffic regardless of which interface it goes through, the main thing is that it will reach the target node via any available route).
This is convenient because there is only one tunnel between two routers and it will work if the provider fails, just rebuild through a different interface. Thus, it is not necessary to raise ipSec on each interface and have static addresses on all interfaces.
Inside ipSec, an IPIP tunnel runs, into which all traffic that needs to be transferred between the two networks is directed.
wan interface - wan ip address - ipsec bridege inteface - ipsec ip address - ipip interface - ipip ip
adress
You need to configure QOS, if the wan interfaces had the same speed, this would not be a problem.
But wan interfaces have different speeds, and therefore the traffic passing through each of them needs to be marked differently and placed in different queues. Marking ipSec traffic itself is not a problem, it receives a label on the interface through which it passed. But you need to mark up traffic inside ipSec( inside IPIP ).
For example, sip traffic that is decapsulated from ipSec traffic received via wan1 should receive one label, and the same traffic received from ipSec traffic received via wan2 should receive another label.

Is it possible to implement this?
As an example, put a label on the incoming ipSec packet, which will be saved on the IPIP packet, which will be saved on the already simple IP packet. But as far as I understand, the label is not saved during these transformations.