When using IPsec tunnel mode, VTIs provide many benefits compared to direct configuration of xfrm policies / states. However, one limitation is that there can only be one VTI between a given pair of IP addresses. This does not allow configuring multiple IPsec tunnels to the same security gateway. This is required by some deployments, for example I-WLAN [3GPP TS 24.327].
This patchset introduces a new VTI_KEYED flag that allows configuration of multiple VTIs between the same IP address pairs. The output path is the same as current VTI behaviour, where a routing lookup selects a VTI interface, and the VTI's okey specifies the mark to use in the XFRM lookup. The input and ICMP error paths instead work by first looking up an SA with a loose match that ignores the mark. That mark is then used to find the tunnel by ikey. This approach is simple and requires few userspace changes, but it has one limitation in that ICMP errors received in response to VTI-emitted packets can only be processed if the VTI's ikey and okey are the same. This limitation could be lifted by introducing another XFRM mark, similar to XFRMA_OUTPUT_MARK, but used for input.
