Nodegrid ↔ Meraki IPsec NAT-T Issue

Nodegrid ↔ Meraki IPsec NAT-T Issue

Summary
Nodegrid devices implement IPsec using Libreswan with IKEv2. NAT‑Traversal (NAT‑T) is automatic when NAT is detected, per RFC 7296. When NAT is present, traffic transitions from UDP/500 to UDP/4500 without requiring manual configuration.
The observed error NO_PROPOSAL_CHOSEN occurs during Phase 1 (IKE_SA_INIT). This means cryptographic proposals were rejected before NAT detection and NAT‑T negotiation. As a result, this issue is not related to NAT‑T, but to a Phase‑1 proposal mismatch.
Typical causes
  • IKE version mismatch (IKEv1 vs IKEv2)
  • Phase 1 encryption or integrity mismatch
  • Diffie‑Hellman group mismatch
  • Lifetime mismatch
Customer action items
  • Confirm IKEv2 on both Meraki and Nodegrid
  • Match Phase‑1 crypto parameters exactly
  • Allow UDP 500 and UDP 4500 end‑to‑end

Meraki Nodegrid Compatibility Checklist

Phase 1 (IKE)

  • IKE Version: IKEv2 only
  • Encryption: AES‑128 or AES‑256
  • Integrity: SHA‑256
  • DH Group: 14 (recommended)
  • Lifetime: Must match
  • NAT‑Traversal: Automatic

Phase 2 (ESP)

  • Encryption: AES‑128 or AES‑256
  • Integrity: SHA‑256
  • PFS: Optional (DH must match if enabled)
  • Lifetime: Must match

Network Requirements

  • Allow UDP 500 (IKE)
  • Allow UDP 4500 (NAT‑T / ESP-in-UDP)
  • Disable or bypass IPsec ALG / inspection

Troubleshooting Guide

Understanding NAT‑T on Nodegrid

  • NAT‑T is automatic when using IKEv2
  • No UI or CLI toggle is required or expected
  • ESP encapsulation happens only after Phase‑1 succeeds

Understanding NO_PROPOSAL_CHOSEN

  • Generated during IKE_SA_INIT
  • Indicates Phase‑1 crypto rejection
  • Occurs before NAT‑Traversal negotiation

Validation Workflow

  1. Verify both peers use IKEv2
  2. Compare Phase‑1 proposals field‑by‑field
  3. Confirm UDP 500/4500 reachability
  4. Check captures: absence of UDP 4500 ⇒ Phase‑1 failure
Phase 1 (IKEv2)
  • Encryption: AES‑256
  • Integrity: SHA‑256
  • DH Group: 14
  • Lifetime: 28 800 seconds
  • NAT‑T: Automatic
Phase 2 (ESP)
  • Encryption: AES‑256
  • Integrity: SHA‑256
  • PFS: Disabled (or DH‑14 if enabled)
  • Lifetime: 3 600 seconds

    • Related Articles

    • IPsec tunnel Nodegrid to PaloAlto with IKEv2 only

      IPsec tunnel Nodegrid to PaloAlto with IKEv2 only Setup Overview This documents outlines how a Nodegrid system can establish a IPSec tunnel to a PaloAlto firewall in tunnel mode. This guide was verified with PaloAlto version 8.0 and Nodegrid version ...

    • IPsec tunnel to AWS VPC with Certificates

      IPsec tunnel to AWS VPC with Certificates tested on: 5.2.1, 6.0.5 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...

    • How to Create Certificates for IPSec

      Reversion 0.2 (30 Jun 2021) Overview Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec ...

    • How to Configure IPSec Host to Host tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details ...

    • How to Configure IPSec Host to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...