From: Lorenzo Colitti <lore...@google.com> Date: Tue, 19 Dec 2017 01:16:55 +0900
> - ICMP errors are similar to input, except the search is for the > outbound XFRM state, because the only data that is available is > the outbound SPI. Thus, ICMP errors are only processed if the > ikey is the same as the same as the okey. AFAICS this is > consistent with GRE tunnels, but not with existing VTI > behaviour. I think you will need to sort out the VTI ICMP behavior difference with what exists now.
