thanks for this type of information, it isn't easy to find things like this on youtube. can you add more questions on IPsec nat traversal, that an interviewer can ask

Hi Admin. I took last two characters of HASH in above captures in my next query. Please check all references (which HASH I referenced for what) very carefully. So, in above captures, hash values are c6 (for source IP and source port) and c9 (for destination IP and destination port) in message 3. These values are from sender side. But other side which is receiver side sending HASH values in message 4, calculated HASH are 6f (for source IP and source port) and c6 (for destination IP and destination port). Now value C6 is common. It means source IP and source port HASH of sender side doesn't changed along the path. But HASH of destination IP and destination port was changed (destination HASH from the perspective of sender or we can say source HASH as well from the perspective of receiver). So, this is the reason that why in your displayed captures, ports are switched from 500 to 4500. Am I correct in my understanding? Please do some research on above and let me know the correct answer. Also, please let me know if any additional information required from my side to resolve above query. Thanks in advance.