Cradlepoint Secure VPN-NAT (Powered by Asavie)
Products Supported: AER3100, AER2100, MBR1400v2, COR IBR1100 Series, and COR IBR600 series. Click here to identify your router.
Firmware Version: 5.4.0 - for information on upgrading firmware, click here.
Firmware version 6.0 has been released and introduces a vastly improved GUI for all current Series 3 routers. Cradlepoint has created new Knowledge Base articles with updated screen shots and instructions for the new GUI layout. As a result, this article has received its final update. To view the version of this Knowledge Base article for Firmware 6.0 and Later please click here.
Cradlepoint Secure VPN-NAT provides private data connectivity between your Cradlepoint LAN devices and a remote HQ network. This essentially allows any device connected to a Cradlepoint configured for Cradlepoint Secure VPN-NAT to access your office/remote network securely.
NOTE: CPSVPN requires ECM PRIME.
The NAT WAN configuration steps described in the document above describe how to configure router for the following sample network:
A. HQ Network: 10.10.0.0/24
B. vCPE installed on host: 10.10.0.10.
C. vCPE adapter IP address is 172.31.255.1
D. Router IP range: 172.16.0.0/24 [IP address assigned to the CPSVPN tunnel by Asavie]
E. Remote LAN Network: 192.168.0.0/24
F. Remote device connected to router: 192.168.0.85
Configuration Difficulty: Intermediate
ECM/CPSVPN Setup - NAT WAN
- Step 1: Select Applications -> CP Secure VPN -> Manage:
- Step 2: Click Add, choose the router to assign the entitlement to, and hit Save:
- Step 3: Once all required routers are “entitled” select Advanced Settings.
- The CP Secure VPN Portal opens using SSO:
- Step 4: Chose NAT WAN.
- Step 5: Enter a Network IP Address to be used for routers (or accept the defaults). Click Next.
- Step 6: Specify a vCPE name & IP Address (or accept the defaults). Click Next.
- Step 7: The vCPE download option & activation code will display (this make take a few seconds). The vCPE can be installed now or choose “Skip” to install later.
- Step 8: Setup is complete. click Next to continue.
- Step 9: The Portal opens on the Tunnels page. Details of entitled tunnels will be displayed. The next step is to return to ECM to configure routers. Click <Back.
vCPE Software Install
First you need to install the vCPE software on a server/computer that is connected to the LAN that you wish to have remote access to. This server/computer should be "Always-On", and running a 32-bit or 64-bit version of Windows OS.
- Step 1: From the server/computer you wish to install the vCPE software on, open the vCPE agent installer you downloaded in Step 7 Above.
- Step 2: Follow the installation wizard until prompted for an Activation Code. Use the Activation Code given in Step 7 above and hit Next, then Install.
- Step 3: Once the vCPE Software is installed, we need to make sure both the vCPE Service (1) and Tunnel (2) are both Connected. Click on the "CP" Icon (3) in the System Tray to open the vCPE Software if it is not already open. If the vCPE (1) is showing as "Connected" but the Tunnel (2) is "Down", click Restart and the tunnel should connect following the restart. If you are having issues with the vCPE Software click here.
Router Setup - NAT WAN
This section of the document describes how to configure the CPSVPN tunnel and required Zone Firewall options on a Cradlepoint IBR-600 module router via the Cradlepoint Enterprise Cloud Manager System. This configuration can also be done locally on the router.
- Step 1: Create a group in ECM for an IBR600 with 5.3.4 firmware and add a device to it. For instructions on how to set up a group in ECM please see this section of the ECM Getting Started article.
- Step 2: Select the newly created group, click on Configuration and then Edit.
- Step 3: Configure the Primary LAN. Select Network Settings -> Wifi/Local Networks. Tick the box beside "Primary LAN" and click Edit.
- Step 4: Select IPv4 settings. Set the required LAN IP range (all routers can use the same LAN IP range in the NAT WAN setup). Set the IPv4 Routing Mode to NAT, and hit Submit:
- Step 4: The next steps will set up the IOT Tunnel connection on the Cradlepoint. Click on Internet and select CP Secure VPN.
- Step 5: Under the CP Secure VPN, Click on Add and enter the following details of the account:
- Tunnel name: CP Secure VPN
- Remote Gateway: iot-101.accessmylan.com (US)
- Port: 443
- Certificate Name: CP Secure CA
- Ensure the Tunnel Enabled option is checked.
- Step 6: Click Next and add a local Network, which is the local Cradlepoint LAN (defaulted to 192.168.0.0./24) and then click Save.
- Step 7: Click Next, to continue with the Tunnel Configuration to add the remote network ranges.
- 172.31.255.0/30 represents the default vCPE virtual network adapter. If you have selected a different vCPE adapter IP range you should enter this here.
- 10.10.0.0/24 is the HQ network.
- Step 8: Click on Finish to complete the set up.
- Step 9: Next we will configure the Zone Firewall Settings. Navigate to Network Settings -> Firewall/QoS
- Step 10: Select Zone Firewall, then under the Zones section click Add.
- Step 11: In the Zones Editor give the Zone a Name, click Add once more to add the interface, click on the + next to WAN and select CPSVPN from the drop down. Click the + next to (any) and select the name of the CPSVPN Tunnel previously configured in Step 4. Click Save then Submit.
- Step 12: While still in the Zone Firewall section, scroll down to Forwardings. Under the Forwardings section we need to create two forwardings.
- Step 13: To add the first forwarding click Add
- Step 14: Make sure Enabled is checked. For the Source Zone, select the Zone created in Step 11. For the Destination Zone select WAN Zone and set the Filter Policy to Default Allow All. Click Submit.
- Step 15: To add the second forwarding click Add once more.
- Step 16: Make sure Enabled is checked. For the Source Zone, select the WAN Zone. For the Destination Zone select the Zone created in step 11, and set the Filter Policy to Default Deny All. Click Submit.
- Step 17: To finalize the Group Configuration from ECM click Commit Changes, and then click OK.
- Step 18: Lastly we will perform a test to verify functionality. Initiate a ping from the "Remote device connected to the router"(192.168.0.85 in our sample network) towards the vCPE adapter address 172.31.255.1.
- Step 19: Initiate a ping from the vCPE host (10.10.0.10 in our sample network) towards the router (on its Asavie-assigned IP address - you can check what this is in the CPSV portal, Tunnels page.
Zone NAT Settings (optional)
To facilitate access from the HQ network towards the remote devices we need to setup some “Zone NAT” rules.
For example, to forward the "Remote Desktop" port 3389, to allow access to RDP to a remote machine:
- Step 1: Navigate to Network Settings -> Firewall -> Zone NAT.
- Step 2: Click Add and enter the following settings:
- Secure Zone Name: CPSVPN Zone (this is the zone you previously created)
- Use Port Range: Leave unticked
- Zone Port(s): 3389
- Local Computer: 192.168.0.85 (Enter the IP of the machine you want to RDP to)
- Local Port(s): 3389
- Protocol: TCP
- Step 3: Click Submit, then Commit Changes.
vCPE Software Installation Issues
If you are having issues installing the vCPE agent click here.
Service or Tunnel Issues with the vCPE Software
If you are having issues with the vCPE Service or Tunnel making a connection click here.
Published Date: 4/20/2015
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.