If you are unsure of CradlePoint Series or Model number, please click here.
This article was written based on firmware version 4.4.2
The WAN IP of the CradlePoint is a private IP address rather than a publicly routable IP address.
Various Internet service providers (ISP) NAT their connection meaning users may not get a public IP but do get internet access. This can cause issues when setting up a VPN tunnel. This article explains how to set up a VPN tunnel when one of the endpoints is connecting to the internet behind an ISP that is NAT’d.
NOTE: At least one of the routers is required to have a publicly routable IP address.
A. Gather the required information.
- Internet IP address of public router.
- Connect to the Public Router.
- Login to the admin pages (how to log into admin pages link).
- Click the Status tab then click Dashboard.
- In the Internet section an IP address is displayed, record this IP address it Public IP.
2. Internal network IP address of the public router.
- On the Dashboard screen locate the Local Networks section.
- Locate the Primary LAN heading and the to the left you will see your internal IP, record this IP address and label it Public Internal IP.
3. IP address of Client computer connected to the Public Router.
- Click the Status tab then click Client List.
- Select a Wired or Wireless client that will always be connected to this router record the IP address of this device and label itPublic Internal Client.
4. Internal network IP of NAT’d router.
5. IP address of client connected to NAT’d router.
B. For the example presented in this article, the info above will be given the following values:
- Internet IP address of public router = 126.96.36.199
- Internal network IP of public router = 192.168.5.1
- Client Connected to public router = 192.168.5.87
- Internal network IP of NAT’d router = 192.168.0.1
C. Public Router Configuration:
- Connect to the Public Router then log into the administration pages.
- Click the Internet tab.
- Click VPN Tunnels.
- Click Enable VPN Service (if disabled).
- Click Add.
- Enter the Tunnel Name as PublicTunnel.
- Check the Anonymous box (VERY IMPORTANT).
- Enter the Local Identity as publiccp
- Enter the remote Identity as natcp
- Enter test as the Pre-shared Key.
- Mode should be set to tunnel.
- Verify both Tunnel Enabled and MBR1200 Quick Connect are connected.
- Click Next
- In the Local Networks section click Add.
- Enter the local IP address of the Public router (192.168.5.0).
- Click Save, then select Next.
- Enter the Nat’d Routers Internal network (192.168.0.0).
- Click Save, then select Next.
- Verify that the Phase 1 and 2 Key Lifetime is set to 28800 and 3600 respectively.
- Check the box for Perfect Forward Secrecy if not already checked.
- Verify the Encrypting, Hash, and DH Groups are set to AES128, MD5, and Group 1 respectively.
- Click Next.
- Verify Dead Peer Detection is enabled then Click Finish.
- Verify the Tunnel Summary has the correct settings then click Yes.
D. Setting Up the NAT’d Router configuration
26. Connect your Internet source to the NAT’d router, open your web browser and type 192.168.0.1 in the URL bar.
27. Log into the CradlePoint and click Internet
28. Then click VPN Tunnels
29. Click Enable VPN Service (if disabled).
30. Click Add.
31. Enter the tunnel name as NATdCP,
32. Do Not Check the Anonymous box.
33. Enter the local Identity as natcp.
34. Enter the Remote Identity as publiccp.
35. Enter the Preshared Key, test.
36. Set the Mode to Tunnel.
37. Set the Initiation mode to Always On.
38. Check Tunnel Enabled and MBR1200 Quick Connect.
39. Click Next.
40. In the Local Networks section click Add.
41. Enter the local IP address of the Public router (192.168.0.0).
42. Click Save, then click Next.
43. Enter the Remote Gateway. (IP of Public Router)
44. Enter the Remote Network by clicking Add, then Save. This will be the local network on the Public Router.
45. Click Next.
46. Verify the Phase 1 and 2 Key Lifetime is set to 28800 and 3600 respectively.
47. Check the box for Perfect Forward Secrecy, if not already checked.
48. Verify the Encrypting, Hash, and DH Groups are set to AES128, MD5, and Group 1 respectively.
49. Then click Next.
50. Verify Dead Peer Detection is enabled then click Finish.
51. Verify the Tunnel Summary has the correct settings then click Yes.
52. Check the tunnel by using a Ping test set to the Public router’s internal network (188.8.131.52).
53. Check the Tunnel statistics, click the Status tab.
54. Then select VPN Tunnels.
NOTE: The VPN tunnel will always need to be initiated from NAT’d router or a device on the NAT’d routers LAN.