If you are not sure what model CradlePoint router you have, please click here.
This article was written based on firmware version 5.0.0.
This article applies to the following CradlePoint products: CBR400, CBR450, IBR600, IBR650, MBR1200B, MBR1400.
A Virtual Private Network (VPN) is a virtual private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. This article explains how to set up a basic IPSEC VPN-terminated tunnel between capable CradlePoint Series 3 routers when the connections on both or either router are configured with publicly routable dynamic IP addresses using a dynamic DNS service.
For assistance configuring Series 3 CradlePoint routers where both sides connect using static IP addresses, please refer to this article instead: VPN setup example for static IP address connections
This article assumes that the IP address being received from your ISP is a public facing routable address. For assistance configuring Series 3 CradlePoint routers to connect to a VPN where one side does not have a publicly routable IP address, please refer to this article instead: [Link to “VPN NAT-T setup”]
Before getting started, first make sure that both CradlePoint routers are online and that your dynamic DNS host is properly resolving to your IP address. For assistance setting up dynamic DNS, please refer to this article: http://knowledgebase.cradlepoint.com/articles/Support/setup-Dynamic-DNS-on-a-Series-3-CradlePoint
Additionally, you will need to make sure that the local networks of the routers do not match. For example, if Router #1 is already set up using the default network of 192.168.0.1, you would want to change Router #2’s local network to use a different private network (such as 192.168.100.1 or 172.16.0.1). For assistance changing the local IP address of a Series 3 CradlePoint router, please refer to this article: How to change the router’s local IP address
For maximum compatibility, we also recommend making sure that the CradlePoint routers’ firmwares are upgraded to the most recent version. The most recent CradlePoint firmware files can always be downloaded from http://www.cradlepoint.com/firmware.
After verifying that both CradlePoint routers are online that the dynamic DNS host(s) are resolving properly, and after verifying that both routers have been configured on different local subnets, the directions below will help configure a VPN tunnel between the two routers. These same directions can be followed when only one side has a dynamic IP address, and the other side has a static IP address, just use the router’s static IP address whenever the dynamic DNS name is requested.
This is an example setup where both routers have routable dynamic WAN IP addresses. Computer #1 is connected behind Router #1 and Computer #2 is connected behind Router #2.
LAN IP address: 192.168.42.1
LAN subnet mask: 255.255.255.0
Dynamic DNS name: [the dynamic DNS hostname for router #1]
Computer #1: 192.168.42.199
LAN IP address: 192.168.0.1
LAN subnet mask: 255.255.255.0
Dynamic DNS name: [the dynamic DNS hostname for router #2]
Computer #2: 192.168.0.177
A typical VPN tunnel between these routers would allow Computer #1 (and other computers getting addresses from Router #1) to be able to connect directly to Computer #2 (and other computers getting addresses from Router #2) using a secure tunnel across the unsecure public Internet.
VPN configuration steps for Router #1:
9. [Router #1] For Dead Peer Detection, leave everything at the default settings. Click Finish to reach the summary page.
10. [Router #1] At the Summary Screen, make sure that your settings are correct and click Yes to finish the configuration.
11. [Router #1] Now that the VPN settings have been entered, click Enable VPN Service to turn on the VPN tunnel from Router #1’s side.
VPN configuration steps for Router #2:
14. [Router #2] Click Add to create a new tunnel.
15. [Router #2] On the first page of the VPN wizard, enter the same Tunnel Name, Pre-shared Key, and Initiation Mode used when setting up Router #1. Click Next to continue.
16. [Router #2] On the Local Networks page, Select the IP Version you are using Locally for a gateway as well as the IP Version you are using for your LAN. Then Click ADD under the Local Networks section and type the network and subnet of the local LAN that you want to make available across the VPN tunnel. In our example, these are the same settings entered into the Remote Network page on Router #1. Click Save to confirm the network and click Next to continue.
18. [Router #2] For IKE Phase 1, again change the Exchange Mode to Aggressive, and then leave everything else at the default settings. ClickNext to continue.
19. [Router #2] For IKE Phase 2, again leave everything at the default settings. Click Next to continue.
20. [Router #2] For Dead Peer Detection, again leave everything at the default settings. Click Finish to reach the summary page.
21. [Router #2] At the Summary Screen, make sure that your settings are correct and click Yes to finish the configuration.
22. [Router #2] Now that Router #2’s VPN settings have been entered, click Enable VPN Service to turn on the VPN tunnel from Router #2’s side as well.
23. Now that both tunnels have been configured and enabled, go to Status –> VPN (from either computer) to view the status of the tunnel.
If the tunnel doesn’t come up automatically, you may need to generate “interesting traffic” over the VPN first. From a computer connected to the router (or from the router itself) you will want to ping an IP address on the other side of the tunnel. Interesting traffic would be generated if (for example) Computer #1 (192.168.42.199) attempted to ping Computer #2 (192.168.0.177), or if Router #2 (at 192.168.0.1) tried to ping Router #1 (at 192.168.42.1).
The “ping” command can be run directly from CradlePoint’s admin interface from “System Settings” -> “System Control.”
Once the VPN tunnel has been established, you can view the VPN status by browsing to Status -> VPN.
Example VPN Status from Router #1:
Example VPN Status from Router #2:
Once the VPN tunnel has been configured and enabled, any traffic bound for the “remote network” will be sent across the VPN rather than being handled locally.
This example VPN shows how to make local networks available across a VPN. If you need to have other local or public networks routed across the VPN, these networks will need to be added into the “Remote Gateway” settings for the router sending the traffic across the VPN.
For example, if the “Remote Gateway” in Router #2’s VPN configuration was changed from 192.168.0.0/255.255.255.0 to 0.0.0.0/0.0.0.0, this would force all Internet traffic coming from Router #2 to be sent across the VPN rather than being handled by Router #2’s WAN source.