We're testing out the new Windows version and everything appears to be working correctly with the exception of traffic from the routers to the containers via the NAT on the Windows cells.  The IPSec session is working between the router and the Windows host itself but there is just no response when connecting to a mapped port inside a container.  For example:

router (10.10.10.10) -> windows2016-cell (10.10.10.11) - works fine for any open port (rep, consul etc.) on the cell itself
router (10.10.10.10) -> windows2016-cell (10.10.10.11) -> container (172.30.0.10) - no response to the external port for either HTTP or SSH (for example, 40000 and 40001)

As soon as we turn off IPSec the traffic works just fine and we can access the app via the gorouter and cf ssh is connecting successfully.  The error message from the router looks like this: