Call Us at 888-550-8728

Series 3: How do I configure a VPN between a CradlePoint and Cisco router?

If you are unsure of CradlePoint Series or Model number, please click here
This article was written based on firmware version 4.3.2


This document outlines how to setup an IPSec VPN tunnel between a CradlePoint series three router and a Cisco router.


  • IPSec – protocol used for securing IP communications by authenticating and encrypting each IP packet of a communication session
  • VPN – Virtual Private Network.  Extends a private network across a public network like the Internet.


  • Cradlepoint Series 3 router capable of terminating an IPSec VPN Tunnel: MBR1400, IBR600, IBR650, CBR400, CBR450, CBA750B, MBR1200B.
  • Cisco router is running IOS 12.0 or newer.
  • Customer who needs a secure connection between two remote networks.
  • Static publicly routable IP Addresses on both the CradlePoint and Cisco routers.


Part A:  Configure IPSec Tunnel on the CradlePoint
Part B:  Configure Tunnel on the Cisco Router

A. Configure the CradlePoint router:

  1. Navigate to Internet -> VPN Tunnnels.
  2. Click the Enable VPN Service, then click Add.
  3. Enter a Tunnel Name and a Pre-Shared Key.
  4. Click Next.                                                                                                                      User-added image
  5. Under Local Networks, click Add, and then enter the LAN IP network address and netmask of the CradlePoint router and click Save.
  6. Click Next.                                                                                                            User-added image
  7. Under Remote Networks, enter the Gateway (IP Address of the Cisco router’s interface that the VPN will connect to).
  8. Click Add, and then enter the LAN IP network address and netmask of the Cisco router and click Save.
  9. Click Next.                                                                                                                User-added image
  10. Select the IKE Phase 1 parameters you want.  For efficiency, CradlePoint recommends DES encryption, SHA1 hash, and DH Group 1.
  11. Click Next.                                                                                                                               User-added image
  12. Select IKE Phase 2 parameters you want. For efficiency, CradlePoint recommends DES encryption, SHA1 hash, and DH Group 1.
  13. The Cisco default Phase 2 Key Lifetime is 86400, so CradlePoint recommends setting it to that.
  14. Click Next.                                                                                                                                  User-added image
  15. Configure Dead Peer Detection to your preferences.  We recommend keeping this enabled.
  16. Click Finish.                                                                                                       User-added image
  17. You will see a Tunnel Summary screen.  Review the settings and make sure they are correct.
  18. Click Yes to enable the tunnel.                                                                          User-added image

B.  Configure the Cisco router:

Make the necessary changes to the following config for your network and paste into your Cisco router.

crypto isakmp policy 2
 authentication pre-share
crypto isakmp key <pre-shared key> address (IP Address of Cradlepoint WAN)
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description tunnel to cradlepoint
 set peer (IP Address of Cradlepoint WAN)
 set transform-set ASA-IPSEC
 match address 100
interface FastEthernet0 (Change interface to your WAN interface)
 switchport access vlan 50 (Change VLAN if necessary)
interface FastEthernet1 (Change interface to your LAN interface)
 switchport access vlan 10 (Change VLAN if necessary)
interface Vlan10
 ip address (Change to your LAN IP Address and mask)
interface Vlan50
 ip address (Change to your WAN IP Address and mask)
 crypto map SDM_CMAP_1
ip route (Change to Cradlepoint LAN and WAN)
access-list 100 permit ip
access-list 110 deny   ip
access-list 110 permit ip any
(Change the above IP ranges to match Cisco LAN)
route-map nonat permit 10
 match Ip address 110

Category: Cradlepoint Series 3

← FAQs
Secured By miniOrange