Move this question over to SRX Security.
FYI - IPSec will use UDP port 500 by default. When you configure your IKE gateway, your end devices will use that address to set up the tunnel. If there is a device between them that is performing NAT, then the address will be changed and the IKE will drop hte packet so the VPN will not come up. If you configure NAT-T, the whole entire packet will be wrapped in a UDP packet using port 4500. The other endpoint will then no longer drop the packet, but will simply strip the UDP header and find the correct IP and establish the VPN session. So if NAT-T is not configured, then you would not see port 4500.
This should also help in understanding the questions you asked while awaiting an answer.