Series 3: How do I configure an IPSEC VPN tunnel between a CradlePoint and an Adtran NetVanta?

QUICK LINKS:

  • SUMMARY
  • REQUIREMENTS
  • EXAMPLE CONFIGURATION
  • CRADLEPOINT CONFIGURATION
  • ADTRAN CONFIGURATION


SUMMARY:

This document will guide you through creating an IPsec VPN tunnel between a Series 3 CradlePoint router and an Adtran NetVanta 3120 router.  The IPsec tunnel in this example assumes that the WAN sources attached to both routers are publicly routable and not behind a NAT.

This document was created using CradlePoint firmware 4.4.2 and Adtran NetVanta firmware R10.9.0.E, but should work similarly on other firmware versions for both devices.


REQUIREMENTS:

CradlePoint Series 3 router supporting IPsec

Adtran NetVanta 3120 (or other similar Adtran routers)

Public WAN sources attached to each router


EXAMPLE CONFIGURATION:

CradlePoint IBR600LE configuration:

WAN IP: 166.142.176.196

LAN IP: 192.168.0.1

Subnet: 255.255.255.0

Adtran NetVanta configuration:

WAN IP: 184.76.124.69   (obtained via DHCP)

LAN IP: 10.10.10.1

Subnet: 255.255.255.0

Your WAN IP addresses (and likely LAN IP networks) will be different than the examples used in this document.  This example configures an IPsec tunnel between the router so that hosts connected to the CradlePoint’s 192.168.0.0/24 LAN can access hosts on Adtran’s 10.10.10.0/24 subnet without any additional configuration.

Both the CradlePoint and Adtran device configuration begin from factory default settings.  The CradlePoint’s IPsec configuration in this guide is intended to be the most compatible with the default IPsec settings on the Adtran, but there are many other combinations that should work as long as both sides are configured with matching settings.

For more information about other IPsec options on the Adtran, please contact http://www.adtran.com for assistance.


CRADLEPOINT CONFIGURATION:

  1. After logging into the CradlePoint, click Internet > VPN TunnelsUser-added image
  2. At the Internet > VPN Tunnels page, click the Add button to create a new IPsec policy. User-added image
  3. Give the tunnel a name, and then enter “CradlePoint” as the Local Identity and enter “NetVanta3120” as the Remote Identity.  Enter the same pre-shared key that will be entered in step 10 for configuring the Adtran.  The Initiation Mode may be set to “On Demand” or “Always On,” depending on your needs.  Click Next to continue. User-added image
  4. Under Local Networks, add the CradlePoint’s local network address and netmask for the network(s) that will be made available across the VPN.  Click Next to continue.                                                                                             User-added image
  5. Under Remote Gateway, enter the public IP address (or host name if available) of the WAN interface of the NetVanta.  Under Remote Networks, enter the “Network Address” and “Netmask” of the NetVanta’s private network that will be made available across the VPN tunnel.  Click Next to continue.                                                                      User-added image
  6. For IKE Phase 1, make sure that the settings match how the NetVanta is configured.  In this example, to match the NetVanta’s settings, the Exchange Mode was changed to “Aggressive,” the “Key Lifetime” left at 28800, and all Encryption, Hash & DH Groups that were not configured on the Adtran have been unchecked.  Click Next to continue. User-added image
  7. For IKE Phase 2, again make sure that the settings match how the NetVanta is configured.  In this example, “Perfect Forward Secrecy” has been unchecked.  The “Key Lifetime” has been increased to 28800, and like above the unused Encryption, Hash & DH Groups have been unchecked.  Click Next to continue.                                                                                              User-added image
  8. For “Dead Peer Detection,” leave the settings at the default values and click Finish.       User-added image
  9. At the “Tunnel Summary” screen, ensure that your settings are correct and click Yes to save the settings.  User-added image
  10. At the VPN tunnels page, you will now see the new IPsec policy listed.  Click Enable VPN Service to start the VPN service.  User-added image


ADTRAN CONFIGURATION:

  1. After logging into the Adtran, click the Data tab.                                                          User-added image
  2. Under “VPN”, click the VPN Wizard link.                                                                       User-added image
  3. At the wizard’s welcome page, click Next.                                                                     User-added image
  4. Choose “Typical Setup” and click Next.                                                                          User-added image
  5. In the “VPN Peer Description” field, enter a name for the remote CradlePoint, then click Next.
    • In this example, the VPN peer is named “CradlePoint”.)                User-added image
  6. In the “Public Interface” field, select Adtran’s public WAN interface, then click Next.
    • In this example, the Public Interface selected is “Public (DHCP).” User-added image
  7. In the “Peer IP Address” field, enter the CradlePoint’s public WAN IP Address, then click Next.
    • In this example, the CradlePoint’s WAN IP is 166.142.176.196.     User-added image
  8. In the “Remote Subnet” and “Remote Subnet Mask” fields, enter the private network behind the CradlePoint that will be made available through the tunnel, and then click Next.
    • In this example, the “Remote Subnet” is 192.168.0.0 and the “Remote Subnet Mask” is 255.255.255.0. User-added image
  9. In the “Local Network” page, select or manually enter the Adtran’s local network that will be made available through the tunnel, and then clickNext.
    • In this example, for “Use Network From” drop-down the network “10.10.10.0/255.255.255.0” network was chosen. User-added image
  10. In the “Authentication Type” screen, choose Preshared Secret and enter a password that will be used on both sides of the tunnel. User-added image
  11. In the “Remote ID Type” field, choose Allow Any Remote ID.  It is also possible to use an e-mail address or IP address in this field if preferred, as long as both sides match.                                                                                           User-added image
  12. For the “Local ID Type,” leave it as “Domain Name”, and leave the “Local ID Value” at the default value, and then click NextUser-added image
  13. At the “Confirm Settings” page, make note of the IKE & IPsec settings that the NetVanta chose by default.  The CradlePoint will need to be entered with matching settings.
    • In the example, the NetVanta is using IKE Phase 1 Aggressive mode, Encryption type 3DES, Hash type MD5, DH Group 1, with a key lifetime of 28800.
    • The IKE Phase 2 (IPsec) settings in the example are Perfect Forward Secrecy disabled, Encryption type 3DES, Hash type MD5, with a key lifetime of 28800.  Keep in mind that these are not the same as the default settings on the CradlePoint.
    • Other combinations will also work as long as the settings match on both the CradlePoint and the NetVanta.  Click Finish to save your VPN configuration.                                                                  User-added image
  14. At the “Wizard Complete” page, click Exit to get back to the main NetVanta UI.

Category: Cradlepoint Series 3

← FAQs