NAT Traversal performs two tasks: it detects if both ends support NAT-T and NAT-Discovery that detects NAT devices along the transmission path.
NAT-D payload is a hash of the original IP and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. So the receiving device recalculates the hash and compares it with the existing, if they don't match a NAT device exists.
NAT-T encapsulate IPSec packets in UDP packets with port 4500, providing information to PAT device for translation.
Lets say that we have the network in that picture with PAT running on the router, how PAT device make unique global identifier if both clients use the same NAT-T global UDP 4500 port ?
How NAT-T realy works in that case?
No, it will never work for AH through NAT/PAT device as it will break the hash.
IETF article in 2004:
"Turns out, though, that by defining a mechanism to encapsulate ESP (but not AH) inside UDP, it’s possible to forward IPsec traffic through a NAT without it getting rejected. Each side sends some discovery packets to the other to determine if there is a local NAT present and if both sides are capable of performing NAT traversal (NAT-T)."
"As of this writing, NAT-T is still an Internet draft. The authors continue to make minor changes to improve functionality and interoperability. NAT-T is not defined for AH because there’s no way to effectively work around the AH integrity violation problem."