Series 3: Where can I find a VPN setup example for Dynamic IP Address Connections?

If you are not sure what model CradlePoint router you have, please click here.

This article was written based on firmware version 5.0.0.

This article applies to the following CradlePoint products:  CBR400, CBR450, IBR600, IBR650, MBR1200B, MBR1400.
 

Description:

A Virtual Private Network (VPN) is a virtual private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet.  This article explains how to set up a basic IPSEC VPN-terminated tunnel between capable CradlePoint Series 3 routers when the connections on both or either router are configured with publicly routable dynamic IP addresses using a dynamic DNS service.
For assistance configuring Series 3 CradlePoint routers where both sides connect using static IP addresses, please refer to this article instead: VPN setup example for static IP address connections

NOTE: 
This article assumes that the IP address being received from your ISP is a public facing routable address. For assistance configuring Series 3 CradlePoint routers to connect to a VPN where one side does not have a publicly routable IP address, please refer to this article instead: [Link to “VPN NAT-T setup”]

Before getting started, first make sure that both CradlePoint routers are online and that your dynamic DNS host is properly resolving to your IP address.  For assistance setting up dynamic DNS, please refer to this article: http://knowledgebase.cradlepoint.com/articles/Support/setup-Dynamic-DNS-on-a-Series-3-CradlePoint
 
Additionally, you will need to make sure that the local networks of the routers do not match.  For example, if Router #1 is already set up using the default network of 192.168.0.1, you would want to change Router #2’s local network to use a different private network (such as 192.168.100.1 or 172.16.0.1).  For assistance changing the local IP address of a Series 3 CradlePoint router, please refer to this article: How to change the router’s local IP address
 
For maximum compatibility, we also recommend making sure that the CradlePoint routers’ firmwares are upgraded to the most recent version.  The most recent CradlePoint firmware files can always be downloaded from http://www.cradlepoint.com/firmware


Directions:

After verifying that both CradlePoint routers are online that the dynamic DNS host(s) are resolving properly, and after verifying that both routers have been configured on different local subnets, the directions below will help configure a VPN tunnel between the two routers.  These same directions can be followed when only one side has a dynamic IP address, and the other side has a static IP address, just use the router’s static IP address whenever the dynamic DNS name is requested.

This is an example setup where both routers have routable dynamic WAN IP addresses.  Computer #1 is connected behind Router #1 and Computer #2 is connected behind Router #2.

Router #1
LAN IP address:                   192.168.42.1
LAN subnet mask:               255.255.255.0
Dynamic DNS name:          [the dynamic DNS hostname for router #1]
(example: cpexample1.no-ip.org)
Computer #1:                        192.168.42.199
Router #2
LAN IP address:                   192.168.0.1
LAN subnet mask:               255.255.255.0
Dynamic DNS name:          [the dynamic DNS hostname for router #2]
(example: cpexample2.zapto.org)
Computer #2:                        192.168.0.177


A typical VPN tunnel between these routers would allow Computer #1 (and other computers getting addresses from Router #1) to be able to connect directly to Computer #2 (and other computers getting addresses from Router #2) using a secure tunnel across the unsecure public Internet.
 
VPN configuration steps for Router #1:
 

1.    [Router #1] Log into CradlePoint’s admin console on Router #1.2.    [Router #1] Click Internet -> VPN TunnelsUser-added image

 

3.    [Router #1] Click Add to create a new tunnel.User-added image4.    [Router #1] On the first page of the VPN wizard, give the tunnel a unique Tunnel Name and Pre-shared Key.  In our example, theTunnel Name is “VPN_Example.”  You will use the same Tunnel Name and Pre-shared Key later when setting up Router #2.

 

If you prefer that the VPN tunnel is only established when you need it, set the Initiation Mode to On Demand.  If you instead prefer for the tunnel to remain online, set the Initiation Mode to Always On..  Click Next to continue.

 

User-added image

 

5.    [Router #1] On the Local Networks page, Select the IP Version you are using Locally for a gateway as well as the IP Version you are using for your LAN.  Then Click ADD under the Local Networks section and type the network and subnet of the local LAN that you want to make available across the VPN tunnel.  Click Save to confirm the network and click Next to continue.User-added image6.    [Router #1] On the Remote Networks page, enter Router #2’s Dynamic DNS host address as the Gateway, then Click ADD and enter Router #2’s local network and subnet mask that you would like to make available over the VPN tunnel.  Click Save and Next to continue.

 

User-added image

 
 

7.    [Router #1] For IKE Phase 1, change the Exchange Mode to Aggressive, and leave everything else at the default settings.  ClickNext to continue.User-added image8.    [Router #1] For IKE Phase 2, leave everything at the default settings.  Click Next to continue.

User-added image

9.    [Router #1] For Dead Peer Detection, leave everything at the default settings.  Click Finish to reach the summary page.

User-added image

10. [Router #1] At the Summary Screen, make sure that your settings are correct and click Yes to finish the configuration.

User-added image

11. [Router #1] Now that the VPN settings have been entered, click Enable VPN Service to turn on the VPN tunnel from Router #1’s side.

 
 
VPN configuration steps for Router #2:
 

12. [Router #2] Log into CradlePoint’s admin console on Router #2.13. [Router #2] Click Internet -> VPN TunnelsUser-added image

14. [Router #2] Click Add to create a new tunnel.

User-added image

15. [Router #2] On the first page of the VPN wizard, enter the same Tunnel NamePre-shared Key, and Initiation Mode used when setting up Router #1.  Click Next to continue.

User-added image

16. [Router #2] On the Local Networks page, Select the IP Version you are using Locally for a gateway as well as the IP Version you are using for your LAN.  Then Click ADD under the Local Networks section and type the network and subnet of the local LAN that you want to make available across the VPN tunnel.  In our example, these are the same settings entered into the Remote Network page on Router #1.  Click Save to confirm the network and click Next to continue.

User-added image17. [Router #2] On the Remote Networks page, enter Router #1’s dynamic DNS host address as the Gateway, then enter Router #1’s local network and subnet mask that you would like to make available over the VPN tunnel.  In our example, these are the same settings entered onto the “Local Network” page on Router #1.  Click Save and Next to continue.User-added image

18. [Router #2] For IKE Phase 1, again change the Exchange Mode to Aggressive, and then leave everything else at the default settings.  ClickNext to continue.

User-added image

19. [Router #2] For IKE Phase 2, again leave everything at the default settings.  Click Next to continue.

User-added image

20. [Router #2] For Dead Peer Detection, again leave everything at the default settings.  Click Finish to reach the summary page.

User-added image

21. [Router #2] At the Summary Screen, make sure that your settings are correct and click Yes to finish the configuration.

User-added image

22. [Router #2] Now that Router #2’s VPN settings have been entered, click Enable VPN Service to turn on the VPN tunnel from Router #2’s side as well.

User-added image

23. Now that both tunnels have been configured and enabled, go to Status –> VPN (from either computer) to view the status of the tunnel.

 
If the tunnel doesn’t come up automatically, you may need to generate “interesting traffic” over the VPN first.  From a computer connected to the router (or from the router itself) you will want to ping an IP address on the other side of the tunnel.  Interesting traffic would be generated if (for example) Computer #1 (192.168.42.199) attempted to ping Computer #2 (192.168.0.177), or if Router #2 (at 192.168.0.1) tried to ping Router #1 (at 192.168.42.1).
 
The “ping” command can be run directly from CradlePoint’s admin interface from  “System Settings” -> “System Control.”
 
Once the VPN tunnel has been established, you can view the VPN status by browsing to Status -> VPN.
 
Example VPN Status from Router #1:
 
User-added image
 
Example VPN Status from Router #2:
           
User-added image
 
Once the VPN tunnel has been configured and enabled, any traffic bound for the “remote network” will be sent across the VPN rather than being handled locally.
 
Note:

This example VPN shows how to make local networks available across a VPN.  If you need to have other local or public networks routed across the VPN, these networks will need to be added into the “Remote Gateway” settings for the router sending the traffic across the VPN.
 
For example, if the “Remote Gateway” in Router #2’s VPN configuration was changed from 192.168.0.0/255.255.255.0 to 0.0.0.0/0.0.0.0, this would force all Internet traffic coming from Router #2 to be sent across the VPN rather than being handled by Router #2’s WAN source.


Category: Cradlepoint Series 3

← FAQs