I thought my statement was pretty clear, but it seems that I'll have to clarify. Tcpcrypt does not encrypt or authenticate the portions of the TCP header in the IP payload that encode port numbers and IP addresses. Neither does the (optional) authentication portion of tcpcrypt rely on port numbers or IP addresses, which in any case are easily forged. Present-day encryption protocols such as SSL and SSH already work fine over NAT -- there's no inherent reason why NAT is incompatible with strong authentication or encryption.
Besides the conference paper, the protocol has been implemented on Windows/Mac/Linux, and the implementation itself is publicly available on the web site under the GPL. The implementation demonstrably works over NAT, and it works with FTP and IRC and DCC and all those other problem cases that you cite. I suggest taking a look at the working implementation rather than arguing about whether or not the software works.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds