Series 3: Where can I find a CradlePoint VPN setup example for static IP connections?

To determine the series of your CradlePoint router please click here.

This article was written based on the 4.3.0 series 3 firmware version.

Description:

A Virtual Private Network (VPN) is a virtual private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet.  This article explains how to set up a basic IPSEC VPN-terminated tunnel between capable CradlePoint Series 3 routers when the connections on both routers are configured with publicly routable static IP addresses.
For assistance configuring Series 3 CradlePoint routers where one or both sides connect using dynamic public routable IP addresses (via Dynamic DNS), please refer to this article instead: VPN setup example for dynamic IP address connections

For assistance configuring Series 3 CradlePoint routers to connect to a VPN where one side does not have a publicly routable IP address, please refer to this article instead: VPN NAT-T setup

Before getting started, first make sure that both CradlePoint routers are online and are properly obtaining static IP  addresses from your ISP(s).  Additionally, you will need to make sure that the local networks of the routers do not match.  For example, if Router #1 is already set up using the default network of 192.168.0.1, you would want to change Router #2’s local network to use a different private network (such as 192.168.100.1 or 172.16.0.1).  For assistance changing the local IP address of a Series 3 CradlePoint router, please refer to this article: How to change the router’s local IP address

For maximum compatibility, we also recommend making sure that the CradlePoint routers’ firmwares are upgraded to the most recent version.  The most recent CradlePoint firmware files can always be downloaded from http://www.cradlepoint.com/firmware.

Directions:

After verifying that both CradlePoint routers are online with routable static IP addresses, and after verifying that both routers have been configured on different local subnets, the directions below will help configure a VPN tunnel between the two routers.

This is an example setup where both routers have routable static WAN IP addresses.  Computer #1 is connected behind Router #1 and Computer #2 is connected behind Router #2.

Router #1
LAN IP address:                   172.16.20.1
LAN subnet mask:               255.255.0.0
WAN IP address:                  [the static IP address on router #1]
Computer #1:                        172.16.123.106

Router #2
LAN IP address:                   192.168.0.1
LAN subnet mask:               255.255.255.0
WAN IP address:                  [the static IP address on router #2]
Computer #2:                        192.168.0.199

A typical VPN tunnel between these routers would allow Computer #1 (and other computers getting addresses from Router #1) to be able to connect directly to Computer #2 (and other computers getting addresses from Router #2) using a secure tunnel across the unsecure public Internet.

VPN configuration steps for Router #1:

1.    [Router #1] Log into the CradlePoint’s admin console on Router #1.

2.    [Router #1] Click “Internet” -> “VPN Tunnels”

User-added image

3.    [Router #1] Click “Add” to create a new tunnel.

User-added image

4.    [Router #1] On the first page of the VPN wizard, give the tunnel a unique “Tunnel Name” and “Pre-shared Key”.  In our example, the “Tunnel Name” is “VPN_Example”.  You will use the same “Tunnel Name” and “Pre-shared Key” later when setting up Router #2.

If you prefer that the VPN tunnel is only established when you need it, set the “Initiation Mode” to “On Demand”.  If you instead prefer for the tunnel to remain online, set the “Initiation Mode” to “Always On”.

Click “Next” to continue.

User-added image

5.     [Router #1] On the “Local Networks” page, type the network and subnet of the local LAN that you want to make available across the VPN tunnel.  Click “Save” to confirm the network and click “Next” to continue.

User-added image

6.     [Router #1] On the “Remote Networks” page, enter Router #2’s WAN IP address as the “Gateway”, then enter Router #2’s local network and subnet mask that you would like to make available over the VPN tunnel.  Click “Save” and “Next” to continue.

User-added image

7.     [Router #1] For “IKE Phase 1”, leave everything at the default settings.  Click “Next” to continue.

User-added image

8.     [Router #1] For “IKE Phase 2”, leave everything at the default settings.  Click “Next” to continue.

User-added image

9.     [Router #1] For “Dead Peer Detection”, leave everything at the default settings.  Click “Finish” to reach the summary page.

User-added image

10.     [Router #1] At the “Summary Screen”, make sure that your settings are correct and click “Yes” to finish the configuration. 

User-added image

11.     [Router #1] Now that the VPN settings have been entered, click “Enable VPN Service” to turn on the VPN tunnel from Router #1’s side.

VPN configuration steps for Router #2:

12.     [Router #2] Log into the CradlePoint’s admin console on Router #2.

13.     [Router #2] Click “Internet” -> “VPN Tunnels”

User-added image

14.     [Router #2] Click “Add” to create a new tunnel.

User-added image

15.     [Router #2] On the first page of the VPN wizard, enter the same “Tunnel Name”, “Pre-shared Key”, and “Initiation Mode” used when setting up Router #1.  Click “Next” to continue.

User-added image

16.     [Router #2] On the “Local Networks” page, type the network and subnet of the local LAN that you want to make available across the VPN tunnel.  In our example, these are the same settings entered into the “Remote Network” page on Router #1.  Click “Save” to confirm the network and click “Next” to continue.

User-added image

17.     [Router #2] On the “Remote Networks” page, enter Router #1’s WAN IP address as the “Gateway”, then enter Router #1’s local network and subnet mask that you would like to make available over the VPN tunnel.  In our example, these are the same settings entered onto the “Local Network” page on Router #1.  Click “Save” and “Next” to continue.

User-added image


18.     [Router #2] For “IKE Phase 1”, again leave everything at the default settings.  Click “Next” to continue.

User-added image

19.     [Router #2] For “IKE Phase 2”, again leave everything at the default settings.  Click “Next” to continue.

User-added image

20.     [Router #2] For “Dead Peer Detection”, again leave everything at the default settings.  Click “Finish” to reach the summary page.

User-added image

21.     [Router #2] At the “Summary Screen”, make sure that your settings are correct and click “Yes” to finish the configuration. 

User-added image

22.     [Router #2] Now that Router #2’s VPN settings have been entered, click “Enable VPN Service” to turn on the VPN tunnel from Router #2’s side as well.

User-added image

23.     Now that both tunnels have been configured and enabled, go to “Status” –> “VPN” (from either computer) to view the status of the tunnel. 
 
If the tunnel doesn’t come up automatically, you may need to generate “interesting traffic” over the VPN first.  From a computer connected to the router (or from the router itself) you will want to ping an IP address on the other side of the tunnel.  Interesting traffic would be generated if (for example) Computer #1 (at 172.16.123.106) attempted to ping Computer #2 (at 192.168.0.199), or if Router #2 (at 192.168.0.1) tried to ping Router #1 (at 172.16.20.1).
 
The “ping” command can be run directly from the CradlePoint’s admin interface from  “System Settings” -> “System Control”.
 
Once the VPN tunnel has been established, you can view the VPN status by browsing to “Status” -> “VPN”.
 
Example VPN Status from Router #1:

User-added image

Example VPN Status from Router #2:

User-added image

Once the VPN tunnel has been configured and enabled, any traffic bound for the “remote network” will be sent across the VPN rather than being handled locally.


Note:

This example VPN shows how to make local networks available across a VPN.  If you need to have other local or public networks routed across the VPN, these networks will need to be added into the “Remote Gateway” settings for the router sending the traffic across the VPN.

For example, if the “Remote Network” in Router #2’s VPN configuration was changed from 172.16.0.0/255.255.0.0 to 0.0.0.0/0.0.0.0, this would force all Internet traffic coming from Router #2 to be sent across the VPN rather than being handled by Router #2’s WAN source.


Category: Cradlepoint Series 3

← FAQs