Knowledge Base

 
Reset Search
 

 

Article

NCOS: Cradlepoint Secure VPN-NAT (Powered by Asavie) Installation Guide

« Go Back

Information

 
Content

NCOS: Cradlepoint Secure VPN-NAT (Powered by Asavie) Installation Guide

Products Supported: AER31x0, AER2100, AER 16x0, MBR1400v2, IBR11x0, and IBR6x0. Click here to identify your router.

NCOS Version: 6.0.0 - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Use Cases

NCM/CPSVPN Portal Setup

vCPE Software Install

Router Setup

Troubleshooting

Related Articles


Summary

Cradlepoint Secure VPN-NAT provides private data connectivity between your Cradlepoint LAN devices and a remote HQ network. This essentially allows any device connected to a Cradlepoint configured for Cradlepoint Secure VPN-NAT to access your office/remote network securely.

NOTE: CPSVPN requires NCM PRIME


Use Cases

Case 1

The NAT WAN configuration steps described in the document above describe how to configure router for the following sample network:

User-added image

  • HQ Network: 10.10.0.0 /24
  • vCPE installed on host: 10.10.0.10
  • vCPE adapter IP address is 172.31.255.1
  • Router IP range: 172.16.0.0 /24 [IP address assigned to the CPSVPN Tunnel by Asavie]
  • Remote LAN Network: 192.168.0.0 /24
  • Remote device connected to router: 192.168.0.85

Configuration

Configuration Difficulty: Intermediate

NCM/CPSVPN Setup - NAT WAN

  • Step 1: Select Applications -> CP Secure VPN -> Manage
User-added image
  • Step 2: Click Add, choose the router to assign the entitlement to and click Save.
User-added image
  • Step 3: Once all require routers are "entitled" select Advanced Settings.
    • The CP Secure VPN Portal opens using SSO.
User-added image
  • Step 4: Chose NAT WAN.
  • Step 5: Enter a Network IP Address to be used for routers (or accept the defaults). Click Next.
User-added image
  • Step 6: Specify a vCPE Name & IP Address (or accept the defaults). Click Next.
User-added image
  • Step 7: The vCPE download option & activation code will display (this may take a few seconds). The vCPE can be installed now or choose to "Skip" to install later.
User-added image
  • Step 8: Setup is complete. Click Next to continue.
User-added image
  • Step 9: The Portal opens on the Tunnels page. Details of entitled tunnels will be displayed. The next step is to return to NCM to configure the routers. Click <Back.
User-added image

vCPE Software Install

First you need to install the vCPE software on a server/computer that is connected to the LAN that you wish to have remote access to. This server/computer should be "Always-On", and running a 32-bit or 64-bit version of Windows OS.

  • Step 1: From the server/computer you wish to install the vCPE software on, open the vCPE agent installer you downloaded in Step 7 above.
  • Step 2: Follow the installation wizard until prompted for an Activation Code. Use the Activation Code given in Step 7 above and hit Next, then install.
User-added image
  • Step 3: Once the vCPE Software is installed, we need to make sure both the vCPE Service (1) and Tunnel (2) are both Connected. Click on the "CP" Icon (3) in the System Tray to open the vCPE Software if it is not already open. If the vCPE (1) is showing as "Connected" but the Tunnel (2) is "Down", click Restart and the tunnel should connect following the restart. If you are having issues with the vCPE Software click here

User-added image

User-added image

Router Setup - NAT WAN

This section of the document describes how to configure the CPSVPN tunnel and required Zone Firewall options on a Cradlepoint IBR-600 model router via the Cradlepoint NetCloud Manager System. This configuration can also be done locally on the router.

  • Step 1: Create a group in NCM for an AER2100 with 6.0.0 firmware and add a device to it. For instructions on how to setup a group in NCM please see this section of the NCM Getting Started article.
  • Step 2: Select the newly created group, click on Configuration and then Edit.
User-added image
  • Step 3: Configure the Primary LAN. Select Networking -> Local Networks -> Local IP Networks. Check the box beside Primary LAN and click Edit.

User-added image

  • Step 4: Select IPv4 Settings. Set the required LAN IP range (all routers can use the same LAN IP range in the NAT WAN setup). Set the IPv4 Routing Mode to NAT, and click Submit.

User-added image

  • Step 5: The next steps will set up the IOT Tunnel connection on the Cradlepoint. Click on Networking -> Tunnels -> CP Secure VPN.

User-added image

  • Step 6: Under the CP Secure VPN, click on Add and enter the following details of the account:
    • Tunnel name: CP Secure VPN
    • Remote Gateway: iot-101.accessmylan.com (US)
    • Port: 443
    • Cerificate Name: CP Secure CA
    • Ensure the Tunnel Enabled option is checked.
  • Step 7: Click Next.

User-added image

  • Step 8: Add the local network(s) of the Cradlepoint LAN (defaulted to 192.168.0.0 /24) and then click Update.
  • Step 9: Click Next.

User-added image

  • Step 10: Add the remote network ranges for the Tunnel.
    • 172.31.255.0 /30 represents the default vCPE virtual network adapter. If you have selected a different vCPE adapter IP range you should enter this here.
    • 10.10.0.0 /24 is the HQ Network.

User-added image

  • Step 11: Click on Finish to complete the setup.
  • Step 12: Next we will configure the Zone Firewall Settings. Navigate to Security -> Zone Firewall -> Zone Definition.
  • Step 13: Click on Add to add a new Zone to the firewall.
  • Step 14: Give your Zone a Name, click Add once more to add the interface, click on WANand select CPSVPN from the drop down. Click the (any) and select the CP Secure VPN interface name.
  • Step 15: Click Update and then click Save.

User-added image

  • Step 16: Now navigate to Security -> Zone Firewall -> Zone Forwarding.
  • Step 17: Click Add and enter the following details:
    • Check the box under Status to enable the Forwarding.
    • Under Source Zone select the Zone that you created in Step 12. For the Destination Zone select WAN Zone and for Filter Policy select Default Allow All. Then click Update.

User-added image

  • Step 18: Now we need to add another Forwarding for the opposite. Click Add and enter the following details:
    • Check the box under Status to enable the Forwarding.
    • Under Source Zone select the WAN Zone, for the Desitnation Zone select the Zone that you created in Step 12, and for the Filter Policy select Default Deny All. Click Update.

User-added image

  • Step 19: To finalize the Group Configuration from ECM, click Commit Changes and then click OK.
  • Step 20: Lastly we will perform a test to verify functionality. Initiate a ping from the "Remote device connected to the router" (192.168.0.85 in our sample network) towards the vCPE adapter address 172.31.255.1.
  • Step 21: Initiate a ping from the vCPE host (10.10.0.10 in our sample network) towards the router on its Asavie-assigned IP address - you can check what this is in the CPSV portal, Tunnels page.

Zone NAT Settings (optional)

To facilitate access from the HQ network towards the remote devices we need to setup some "Zone NAT" rules.

For example, to forward the "Remote Desktop" port 3389, to allow access to RDP to a remote machine:

  • Step 1: Navigate to Security -> Zone Firewall -> NAT.
  • Step 2: Click Add under NAT and enter the following settings:

    • Source Zone Name: CPSVPN Zone (this is the zone you previously created)
    • Inbound Port(s): 3389 -> 3389
    • Local Computer: 192.168.0.85 (Enter the IP of the machine you want to RDP to)
    • Local Port(s): 3389 -> 3389
    • Protocol: TCP
  • Step 3: Click Submit, then click Commit Changes.

User-added image


Troubleshooting

For vCPE Software installation Issues: Click Here

For Service or Tunnel Issues with the vCPE Software: Click Here


Related Articles/Links


Published Date: 07/14/2017

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255