OK, I pushed enter to soon and it created this bug without a full description. Here is the full description:
In bug 1252891 we added the a new IPSEC usage. The code was a compromise between strict and completely open usage. That compromise violated existing cert processing RFC's, namely the RFC requires that if you parse and extension, setting that extension to critical should not change how you parse said extension.
This created customer issues when they had keyUsage extensions, which were marked critical, but did not contain any IPSEC usage oids.
The libreSwan development team has suggested that IPSEC should accept all certificate usages. This seems problematic for the security team and the final agreement was that:
IPSEC should accept the current ipsec usages (including some deprecated usages), SSL server, SSL client, and S/MIME usages. Other specialized usages are still not accepted (code signing, OCSP and CRL signing, etc), and it's possible to issue IPSEC only certificates by using the IPSEC usages.
This new semantic also has the advantage of simplifying the previous IPSEC patch by making IPSEC work just like our SSLServer or S/MIME usages.