So the basic idea is that ikev2 and open vpn now support road warrior mode. that allows a vpn client to send a single packet in each direction if the other side is address changes. the typical use case is to allow a cellular service roaming between towers or providers to automatically re-establish the vpn tunnel even if the address of the client actually changes.

So, what you can do, with some possible expense is.

String one vpn tunnel though another in such a way that outermost tunnel establishes the path for the inner tunnel to take when connecting.

You can set things just so that the inner tunnel can reconnect automatically whenever its source addresses changes in one round trip. well, imagine if the outer tunnel changes around periodically. people will have a very difficult time discerning where the inner tunnel is coming from, because the apparent address from which it connects can basically be rotated periodically, on purpose.

As i understand it there is also a way to transfer a security association from one computer to the next, which would allow a single tunnel to inform a connected client that the server's address has just changed, and it should all work about exactly like we discussed in the two tunnel case. does this make and sense?

Sorry it's complicated to describe without a whiteboard!