Hello friends,  not sure if this is the right place to post this question.

We had an issue with a VPN tunnel where we couldn't get phase 2 to come up properly between us and the remote side despite making sure everything matches.....BUT ikev1 tunnels would always work weirdly enough when we configured it, but we wanted to configure ikev2 but could not get phase 2 to work.  

The path is Fw ---> Router ----> remote destination 

So after looking at the logs we noticed that we kept sending to peer on port 4500 (NAT-T port), but never got response on port 4500.  UDP port 500 (Isakmp) worked fine.  The other end said the same thing where port 4500 would not communicate with us...it would just keep sending, but nothing back.  So now we concluded that there is a NAT issue.  No ACLs anywhere blocking port 4500 we checked.

Next, I figured the problem is happening on the Router since the NATting happens on the router and not on the firewall.  For this router, this was the first time that an IPSEC tunnel was going through it but the configs were exactly the same as our other routers..so I couldn't figure out the issue and the configs for this firewall were the same as our other firewall that has ipsec tunnel configs.  Anyways, I tired to make a static NAT entry on the router like this:

ip nat inside source static udp x.x.x.x 4500 interface GigabitEthernet0/0/1 4500

x.x.x.x = ip address of firewall

g0/0/1 is outside interface to internet/isp

Got a really strange error message when trying to do this config:

%Port 4500 is being used by system

So now I don't know what to do anymore, but for the heck of it, I disable NAT-T on the tunnel and it comes up right away..  Now I'm just confused. 

Why??  I don't understand how it even works with NAT-T being disabled.  I thought ESP couldn't reference ports, so we have to have NAT-T enabled to fix that issue.  Really confused and appreciate for anyone making me understand why that tunnel come up.