It looks like someone has figured out a way to get an absolutely free hostile code audit of their IPSEC implementation. Hundreds of the smartest people in the field will be looking at the code with a critical eye; a process that would cost millions if they were paid for their time, and all for the chance to put their name on the discovery of the backdoor.
Crypto implementations have a history of vulnerabilities. Who's to say that anything that anyone finds is proof one way or the other. It's not like you're going to see:
It's more likely to be something along the lines of skipping a crucial step in adding entropy or subtly botching the rekey cycle so that it leaks session information. If anything like that exists. This may all be a subtle troll of Theo De Raadt, or of the internet at large.
The mail Theo forwards has a vague description of what has been done (not that I understand it, mind you):
"My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI."
Being able to find a particular commit, made by the people previously accused during the correct time-period, and showing how what they did was subtlety broken? Sure, that's very possible. Proof of mal-intent is hardly necessary.
Yay for Open Source!