IPSEC ports/protocol numbers and UDP ports with NAT

in CCIE
I'm watching an INE video for IPSEC VPN's, specifically the section about IPSEC Control Plane vs Data Plane.
In the video the instructor is talking about that IPSEC uses port 500 (for AH and ESP) in the Control plane and Protocol number 50 and 51 for ESP and AH. But when the tunnel is going through NAT use sues different ports. It uses port 4500 for both the Control and Data Plane.
So I'm a bit confused as how this works. UDP port work at Layer 4, so so far moving the data from 4500 to 500 is clear, but why is port 4500 allowed and 4500 disallowed. That seem weird to me. It's like when you're trying to smuggle something over the border, but when you transfer to another car, this is going to work.
Also the part about the Data plane is not clear. Instead of using Protocol numbers (Layer 3) it moves the data to UDP 4500 (Layer 4). I'm not following how this works and why it works.
In the video the instructor is talking about that IPSEC uses port 500 (for AH and ESP) in the Control plane and Protocol number 50 and 51 for ESP and AH. But when the tunnel is going through NAT use sues different ports. It uses port 4500 for both the Control and Data Plane.
So I'm a bit confused as how this works. UDP port work at Layer 4, so so far moving the data from 4500 to 500 is clear, but why is port 4500 allowed and 4500 disallowed. That seem weird to me. It's like when you're trying to smuggle something over the border, but when you transfer to another car, this is going to work.
Also the part about the Data plane is not clear. Instead of using Protocol numbers (Layer 3) it moves the data to UDP 4500 (Layer 4). I'm not following how this works and why it works.
Comments
If you think about how NAT works, and specifically PAT/PNAT/overloading, the translating device overloads based on the source port address. But how does this work for IPsec because IPsec doesn't use source ports? This is where NAT-T for IPsec comes in, and this is where you the UDP port 4500 comes from.
When two devices are about to establish an IPsec VPN they do the normal ISAKMP thing and also indicate that they support NAT-T. If they both do, they can detect whether address translation is occurring between the two devices by each side sending the hash of their local socket (ip address, source port). When each side receives this hash, they each compute the same hash of the (source IP, source port) in the IP header from the receiver and compare the result to the hash. If they mismatch, NAT must be occurring somewhere in the middle.
If they two devices are RFC3947-compliant, they immediately switch to encapsulating the data into UDP with the port number 4500 for the remainder of the exchange and post-setup (i.e. sending normal application data). At the end when IPsec is up and working, you will notice an extra header in the stack which will be UDP. This is required so that the NAT device can overload based on the source port.
You can see on an existing pair of IPsec SAs whether NAT-T is in use.
Hope that helped!
With NAT, the first 2 exchanges use UDP 500 and then (starting with certificate exchange), they use UDP 4500 from there on out.
Device A --> Device B (UDP 500)
Device A <-- Device B (UDP 500)
Device A --> Device B (UDP 500)
Device A <-- Device B (UDP 500)
Device A --> Device B (UDP 4500 - Device A Sends its Certificate)
Device A <-- Device B (UDP 4500 - Device B Sends its Certificate)
...
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]
True...
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]
It's big use case is when you have dynamic IP addresses on one or both of the peers
But what does this have to do with the UDP ports?
Maybe have a read over RFC3947 and it will answer all of your questions to do with this feature.
https://tools.ietf.org/html/rfc3947