Series 3: How do I configure a VPN Tunnel using NAT-Traversal on my CradlePoint router?

If you are unsure of CradlePoint Series or Model number, please click here.

This article was written based on firmware version 4.4.2

Symptom:

The WAN IP of the CradlePoint is a private IP address rather than a publicly routable IP address.

Cause:

Various Internet service providers (ISP) NAT their connection meaning users may not get a public IP but do get internet access.  This can cause issues when setting up a VPN tunnel. This article explains how to set up a VPN tunnel when one of the endpoints is connecting to the internet behind an ISP that is NAT’d.

NOTE:  At least one of the routers is required to have a publicly routable IP address.

Resolution:

A.  Gather the required information.

  1. Internet IP address of public router.
    1. Connect to the Public Router.
    2. Login to the admin pages (how to log into admin pages link).
    3. Click the Status tab then click Dashboard.
    4. In the Internet section an IP address is displayed, record this IP address it Public IP.

       2.  Internal network IP address of the public router.

  1. On the Dashboard screen locate the Local Networks section.
  2. Locate the  Primary LAN heading and the to the left you will see your internal IP, record this IP address and label it Public Internal IP.

       3.  IP address of Client computer connected to the Public Router.

  1. Click the Status tab then click Client List.
  2. Select a Wired or Wireless client that will always be connected to this router record the IP address of this device and label itPublic Internal Client.

       4.  Internal network IP of NAT’d router.
5.  IP address of client connected to NAT’d router.

B.  For the example presented in this article, the info above will be given the following values:

  1. Internet IP address of public router = 108.122.50.97
  2. Internal network IP of public router = 192.168.5.1
  3. Client Connected to public router = 192.168.5.87
  4. Internal network IP of NAT’d router = 192.168.0.1

C.  Public Router Configuration:

  1. Connect to the Public Router then log into the administration pages.
  2. Click the Internet tab.
  3. Click VPN Tunnels.
  4. Click Enable VPN Service (if disabled).
  5. Click Add.                                                                                                                     User-added image
  6. Enter the Tunnel Name as PublicTunnel.
  7. Check the Anonymous box (VERY IMPORTANT).
  8. Enter the Local Identity as publiccp
  9. Enter the remote Identity as natcp
  10. Enter test as the Pre-shared Key.
  11. Mode should be set to tunnel.
  12. Verify both Tunnel Enabled and MBR1200 Quick Connect are connected.
  13. Click Next                                                                                                                   User-added image
  14. In the Local Networks section click Add.
  15. Enter the local IP address of the Public router (192.168.5.0).
  16. Click Save, then select Next.                                                                                   User-added image
  17. Enter the Nat’d Routers Internal network (192.168.0.0).
  18. Click Save, then select Next.                                                                                   User-added image
  19. Verify that the Phase 1 and 2 Key Lifetime is set to 28800 and 3600 respectively.
  20. Check the box for Perfect Forward Secrecy if not already checked.
  21. Verify the Encrypting, Hash, and DH Groups are set to AES128, MD5, and Group 1 respectively.
  22. Click Next.                                                                                                                   User-added image
  23. Verify Dead Peer Detection is enabled then Click Finish.                                 User-added image
  24. Verify the Tunnel Summary has the correct settings then click Yes.              User-added image

D.  Setting Up the NAT’d Router configuration

26.  Connect your Internet source to the NAT’d router, open your web browser and type 192.168.0.1 in the URL bar.
27.  Log into the CradlePoint and click Internet
28.  Then click VPN Tunnels
29.  Click Enable VPN Service (if disabled).
30.  Click Add.

User-added image

     31.  Enter the tunnel name as NATdCP,
32.  Do Not Check the Anonymous box.
33.  Enter the local Identity as natcp.
34.  Enter the Remote Identity as publiccp.
35.  Enter the Preshared Key, test.
36.  Set the Mode to Tunnel.
37.  Set the Initiation mode to Always On.
38.  Check Tunnel Enabled and MBR1200 Quick Connect.
39.  Click Next.

User-added image

     40.  In the Local Networks section click Add.
41.  Enter the local IP address of the Public router (192.168.0.0).
42.  Click Save, then click Next.

User-added image

     43.  Enter the Remote Gateway. (IP of Public Router)
44.  Enter the Remote Network by clicking Add, then Save.  This will be the local network on the Public Router.
45.  Click Next.

User-added image

     46.  Verify the Phase 1 and 2 Key Lifetime is set to 28800 and 3600 respectively.
47.  Check the box for Perfect Forward Secrecy, if not already checked.
48.  Verify the Encrypting, Hash, and DH Groups are set to AES128, MD5, and Group 1 respectively.
49.  Then click Next.

User-added image

     50.  Verify Dead Peer Detection is enabled then click Finish.

User-added image

     51.  Verify the Tunnel Summary has the correct settings then click Yes.
52.  Check the tunnel by using a Ping test set to the Public router’s internal network (192.158.0.1).

User-added image

     53.  Check the Tunnel statistics, click the Status tab.
54.  Then select VPN Tunnels.

User-added image

NOTE:  The VPN tunnel will always need to be initiated from NAT’d router or a device on the NAT’d routers LAN.


Category: Cradlepoint Series 3

← FAQs