If ESP is used without integrity control it's possible to obtain plaintext data in ICMP error meesage by modifying source packet.
vulners.com/securityvulns/securityvulns:doc:8583