- EXAMPLE CONFIGURATION
- CRADLEPOINT CONFIGURATION
- ADTRAN CONFIGURATION
This document will guide you through creating an IPsec VPN tunnel between a Series 3 CradlePoint router and an Adtran NetVanta 3120 router. The IPsec tunnel in this example assumes that the WAN sources attached to both routers are publicly routable and not behind a NAT.
This document was created using CradlePoint firmware 4.4.2 and Adtran NetVanta firmware R10.9.0.E, but should work similarly on other firmware versions for both devices.
CradlePoint Series 3 router supporting IPsec
Adtran NetVanta 3120 (or other similar Adtran routers)
CradlePoint IBR600LE configuration:
WAN IP: 18.104.22.168
LAN IP: 192.168.0.1
Adtran NetVanta configuration:
WAN IP: 22.214.171.124 (obtained via DHCP)
LAN IP: 10.10.10.1
Your WAN IP addresses (and likely LAN IP networks) will be different than the examples used in this document. This example configures an IPsec tunnel between the router so that hosts connected to the CradlePoint’s 192.168.0.0/24 LAN can access hosts on Adtran’s 10.10.10.0/24 subnet without any additional configuration.
Both the CradlePoint and Adtran device configuration begin from factory default settings. The CradlePoint’s IPsec configuration in this guide is intended to be the most compatible with the default IPsec settings on the Adtran, but there are many other combinations that should work as long as both sides are configured with matching settings.
For more information about other IPsec options on the Adtran, please contact http://www.adtran.com for assistance.
- After logging into the CradlePoint, click Internet > VPN Tunnels.
- At the Internet > VPN Tunnels page, click the Add button to create a new IPsec policy.
- Give the tunnel a name, and then enter “CradlePoint” as the Local Identity and enter “NetVanta3120” as the Remote Identity. Enter the same pre-shared key that will be entered in step 10 for configuring the Adtran. The Initiation Mode may be set to “On Demand” or “Always On,” depending on your needs. Click Next to continue.
- Under Local Networks, add the CradlePoint’s local network address and netmask for the network(s) that will be made available across the VPN. Click Next to continue.
- Under Remote Gateway, enter the public IP address (or host name if available) of the WAN interface of the NetVanta. Under Remote Networks, enter the “Network Address” and “Netmask” of the NetVanta’s private network that will be made available across the VPN tunnel. Click Next to continue.
- For IKE Phase 1, make sure that the settings match how the NetVanta is configured. In this example, to match the NetVanta’s settings, the Exchange Mode was changed to “Aggressive,” the “Key Lifetime” left at 28800, and all Encryption, Hash & DH Groups that were not configured on the Adtran have been unchecked. Click Next to continue.
- For IKE Phase 2, again make sure that the settings match how the NetVanta is configured. In this example, “Perfect Forward Secrecy” has been unchecked. The “Key Lifetime” has been increased to 28800, and like above the unused Encryption, Hash & DH Groups have been unchecked. Click Next to continue.
- For “Dead Peer Detection,” leave the settings at the default values and click Finish.
- At the “Tunnel Summary” screen, ensure that your settings are correct and click Yes to save the settings.
- At the VPN tunnels page, you will now see the new IPsec policy listed. Click Enable VPN Service to start the VPN service.
- After logging into the Adtran, click the Data tab.
- Under “VPN”, click the VPN Wizard link.
- At the wizard’s welcome page, click Next.
- Choose “Typical Setup” and click Next.
- In the “VPN Peer Description” field, enter a name for the remote CradlePoint, then click Next.
- In this example, the VPN peer is named “CradlePoint”.)
- In the “Public Interface” field, select Adtran’s public WAN interface, then click Next.
- In this example, the Public Interface selected is “Public (DHCP).”
- In the “Peer IP Address” field, enter the CradlePoint’s public WAN IP Address, then click Next.
- In this example, the CradlePoint’s WAN IP is 126.96.36.199.
- In the “Remote Subnet” and “Remote Subnet Mask” fields, enter the private network behind the CradlePoint that will be made available through the tunnel, and then click Next.
- In this example, the “Remote Subnet” is 192.168.0.0 and the “Remote Subnet Mask” is 255.255.255.0.
- In the “Local Network” page, select or manually enter the Adtran’s local network that will be made available through the tunnel, and then clickNext.
- In this example, for “Use Network From” drop-down the network “10.10.10.0/255.255.255.0” network was chosen.
- In the “Authentication Type” screen, choose Preshared Secret and enter a password that will be used on both sides of the tunnel.
- In the “Remote ID Type” field, choose Allow Any Remote ID. It is also possible to use an e-mail address or IP address in this field if preferred, as long as both sides match.
- For the “Local ID Type,” leave it as “Domain Name”, and leave the “Local ID Value” at the default value, and then click Next.
- At the “Confirm Settings” page, make note of the IKE & IPsec settings that the NetVanta chose by default. The CradlePoint will need to be entered with matching settings.
- In the example, the NetVanta is using IKE Phase 1 Aggressive mode, Encryption type 3DES, Hash type MD5, DH Group 1, with a key lifetime of 28800.
- The IKE Phase 2 (IPsec) settings in the example are Perfect Forward Secrecy disabled, Encryption type 3DES, Hash type MD5, with a key lifetime of 28800. Keep in mind that these are not the same as the default settings on the CradlePoint.
- Other combinations will also work as long as the settings match on both the CradlePoint and the NetVanta. Click Finish to save your VPN configuration.
- At the “Wizard Complete” page, click Exit to get back to the main NetVanta UI.