ipsec6_common_input_cb() uses partial copy of ip6_input() to parse headers. But it isn't correct,when we use tunnel mode IPSec.
When we stripped outer IPv6 header from the decrypted packet, it becomes IPv4 packet and should be handled by ip_input.
Also when we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted packet with inner IPv6 header to ip6_input, it will correctly handle it and also can decide to forward it.
skip variable points to offset where payload starts. In tunnel mode we reset it to zero after stripping the outer header. So, when it is zero, we should requeue mbuf via netisr.