At least
ref https://www.rfc-editor.org/rfc/rfc4787
ref https://www.rfc-editor.org/rfc/rfc5382
ref https://www.rfc-editor.org/rfc/rfc6888
You can nfs-mount and do one standard non-nat ipsec session via default linux default nat.
Also exchanging 2 syn+ack establishes a tcp connection
Anyway if you want to try your way (fully random equals random for a while now):
/etc/nftables.d/whatever.nft
chain srcnat_wan {
meta nfproto ipv4 meta l4proto { tcp , udp } masquerade to :1024-65535 random
}
The option as such would be good, say *BSD uses random ports by default and loose modes are config option, then some games dont work. Go figure who is better.