Series 3: How do I configure a VPN between a CradlePoint and Cisco router?

Beverly McRae

If you are unsure of CradlePoint Series or Model number, please click here This article was written based on firmware version 4.3.2SUMMARY:This document outlines how to setup an IPSec VPN tunnel between a CradlePoint series three router and a Cisco router.TERMS:

  • IPSec – protocol used for securing IP communications by authenticating and encrypting each IP packet of a communication session
  • VPN – Virtual Private Network.  Extends a private network across a public network like the Internet.


  • Cradlepoint Series 3 router capable of terminating an IPSec VPN Tunnel: MBR1400, IBR600, IBR650, CBR400, CBR450, CBA750B, MBR1200B.
  • Cisco router is running IOS 12.0 or newer.
  • Customer who needs a secure connection between two remote networks.
  • Static publicly routable IP Addresses on both the CradlePoint and Cisco routers.

DIRECTIONS:Part A:  Configure IPSec Tunnel on the CradlePointPart B:  Configure Tunnel on the Cisco RouterA. Configure the CradlePoint router:

  1. Navigate to Internet -> VPN Tunnnels.
  2. Click the Enable VPN Service, then click Add.
  3. Enter a Tunnel Name and a Pre-Shared Key.
  4. Click Next.                                                                                                                      User-added image
  5. Under Local Networks, click Add, and then enter the LAN IP network address and netmask of the CradlePoint router and click Save.
  6. Click Next.                                                                                                            User-added image
  7. Under Remote Networks, enter the Gateway (IP Address of the Cisco router’s interface that the VPN will connect to).
  8. Click Add, and then enter the LAN IP network address and netmask of the Cisco router and click Save.
  9. Click Next.                                                                                                                User-added image
  10. Select the IKE Phase 1 parameters you want.  For efficiency, CradlePoint recommends DES encryption, SHA1 hash, and DH Group 1.
  11. Click Next.                                                                                                                               User-added image
  12. Select IKE Phase 2 parameters you want. For efficiency, CradlePoint recommends DES encryption, SHA1 hash, and DH Group 1.
  13. The Cisco default Phase 2 Key Lifetime is 86400, so CradlePoint recommends setting it to that.
  14. Click Next.                                                                                                                                  User-added image
  15. Configure Dead Peer Detection to your preferences.  We recommend keeping this enabled.
  16. Click Finish.                                                                                                       User-added image
  17. You will see a Tunnel Summary screen.  Review the settings and make sure they are correct.
  18. Click Yes to enable the tunnel.                                                                          User-added image

B.  Configure the Cisco router:Make the necessary changes to the following config for your network and paste into your Cisco router.!crypto isakmp policy 2 authentication pre-sharecrypto isakmp key <pre-shared key> address (IP Address of Cradlepoint WAN)!!crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac!crypto map SDM_CMAP_1 1 ipsec-isakmp description tunnel to cradlepoint set peer (IP Address of Cradlepoint WAN) set transform-set ASA-IPSEC match address 100!!interface FastEthernet0 (Change interface to your WAN interface) switchport access vlan 50 (Change VLAN if necessary)!interface FastEthernet1 (Change interface to your LAN interface) switchport access vlan 10 (Change VLAN if necessary)!interface Vlan10 ip address (Change to your LAN IP Address and mask)!interface Vlan50 ip address (Change to your WAN IP Address and mask) crypto map SDM_CMAP_1!ip route (Change to Cradlepoint LAN and WAN)!access-list 100 permit ip 110 deny   ip 110 permit ip any(Change the above IP ranges to match Cisco LAN)!!!!route-map nonat permit 10 match Ip address 110

Share Article: