Series 3: How do I perform an IPSec VPN configuration between a CradlePoint router and a Cisco ASA?

This article was written based on firmware version 5.0.0.

Summary:
This article presents an example configuration of an IPSec VPN tunnel between a Series 3 CradlePoint router and a Cisco ASA.


Requirements:

  • CradlePoint model MBR1400, IBR600, IBR650, CBR400, or CBR450. If you are unsure of your CradlePoint Series or Model number, please click here.
  • Cisco ASA running software 8.4 or newer
  • Static publicly routable IP addresses on both the CradlePoint and Cisco ASA. If this requirement is not met, reference Additional Resources for examples of other configurations.
  • Need for a secure connection between two remote networks



Contents:



Terms:

  • IPSec – Protocol used for securing IP communications by authenticating and encrypting each IP packet of a communication session.
  • VPN – Virtual Private Network.  Extends a private network across a public network like the Internet.



Example Configuration:

User-added image


Configuring the CradlePoint Router:

  1. Navigate to the Internet tab.
  2. Select VPN Tunnels from the dropdown.
  3. Click Add at the top of the VPN Tunnels box.
  4. Enter a Tunnel Name and a Pre-Shared Key. (Please note that spaces are not permitted in the name.)User-added image
  5. Click Next.
  6. Under Local Networks, click Add.
  7. Enter the LAN IP network address and netmask of the CradlePoint router and click Save.User-added image
  8. Click Next.
  9. Under Remote Networks, enter the WAN IP of Cisco ASA as the Gateway.
  10. Click Add, then enter the LAN IP network address and netmask of the network on the Cisco ASA to which the VPN will connect to.                                                                    User-added image
  11. Click Save and then click Next at the bottom of the window.
  12. Select the desired IKE Phase 1 parameters.  (CradlePoint recommends AES-256 encryption, SHA1 hash, DH Group 1, and IKE Phase 1 key lifetime of 86400.)User-added image
  13. Click Next.
  14. Select the desired IKE Phase 2 parameters. (CradlePoint recommends AES-256 encryption, SHA1 hash, and DH Group 1, and Phase 2 key lifetime of 3600.)User-added image
  15. Click Next.
  16. Configure Dead Peer Detection to your preferences.  CradlePoint recommends keeping this setting enabled.User-added image
  17. Click Finish.
  18. On the Tunnel Summary screen review the settings and make sure they are correct.
  19. Click Yes to enable the tunnel.                                                                        User-added image



Configuring the Cisco Router:

Shown below is an example configuration for a Cisco router. Adjust it to match the settings you chose during the set up of the CradlePoint router. 

interface Ethernet0/0
nameif outside
ip address 75.160.178.210 255.255.255.240 (Change to your ASA’s WAN IP)

interface Ethernet0/1
nameif inside
ip address 192.168.30.254 255.255.255.0 (Change to your ASA’s LAN IP)

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

access-list encrypt_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.100.0 255.255.255.0 (Change to your LAN IPs)

crypto map ipsec_map 10 match address encrypt_acl
crypto map ipsec_map 10 set pfs
crypto map ipsec_map 10 set peer 166.154.4.196 (Change to CradlePoint WAN IP)
crypto map ipsec_map 10 set ikev1 transform-set myset
crypto map ipsec_map interface outside


Additional Resources:


Category: Cradlepoint Series 3

← FAQs