I have a couple of situations where it is advantageous or necessary to encapsulate ESP into UDP. In one case the ISP seems to be filtering outgoing ESP, but only over IPv6. (Unfortunately the other side is CGNAT through IPv4.) With ROS 6 I was able to set the local address of the peer to an address behind srcnat and fool the NAT detection into turning encapsulation on. With ROS 7.15.3 this technique no longer works. It always always always establishes the policy using protocol 50 directly.
Is there any other way to force encapsulation on ROS? I’ve read that other products are able to do this with a switch. I know the right answer is to fix the ISP, but I’m not holding my breath for AT&T. Though I’m completely mystified why they would be filtering it.