forecast plugin always used when XFRM mark is enabled
The Forecast wiki page says it is used on any SA negotiated that uses a unique mark, and in the example config shows
mark=%unique, but it is also used when not using the special value %unique (e.g. mark=2). The forecast plugin installs iptables rules in the mangle table, and they break my VTI tunnels.