This is exactly what happens when you using NAT-T in normal case too. I.e. if the responder looses state, it cannot do anything until initiator reconnects.
What do you mean by state here? SA? It is not so easy for attacker to force responder loose its SA. If the responder is rebooted than it probably looses all the upper level connections with the initiator and has nothing to send. On the other hand, such situation may appear if NAT in between deletes its mapping. The NAT keepalives messages from the initiator will quickly create a new one, however the responder won't use new ports until it receives a cryptographically protected message from the initiator. This situation is similar to what I described. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
