Category     

NCOS: VPN Quick Start Guide for Capable Cradlepoint Products

« Go Back

Information

 
Content

NCOS: VPN Quick Start Guide for capable Cradlepoint products

Products Supported: AER3100, AER2100, AER16x0, MBR1400, MBR1200B, IBR6x0, IBR6x0B, IBR6x0C, IBR11x0, IBR 9x0. Click here to identify your router.

NCOS Version: 6.3 - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Configuration

Logging

Use Cases

Related Articles


Summary

This article provides a general explanation of how to setup a VPN tunnel.


Configuration

Configuration Difficulty: Intermediate
  • Step 1: Log into NCOS. For help with logging in please click here.
  • Step 2: Click on Networking and select Tunnels and then IPSec VPN.
  • Step 3: Under Global Settings, check the box to Enable VPN Service and then select Save.
  • Step 4: Under Tunnels click Add.
  • Step 5: Configure the General settings for the VPN tunnel.
    • Name: The name is to allow you to easily reference the Tunnel so it should be simple but descriptive.
    • IKE Version (Added in 6.3.0): This determines which version of the Internet Key Exchange your VPN will use. IKEv2 includes Mobike and requires your device to be licensed for the feature. IKEv1 will work with no licensing.
    • Local Identity: This is not required for connections with Static IP addresses, but you can use it if you’d like to. Make it whatever you want, this is your identity, but it must match the Remote Identity on the other end of the tunnels settings. If you are using a Dynamic DNS domain service for your DHCP IP address from your carrier, you will want to add a Local Identity here. This essentially adds an additional layer of security when initializing the secured tunnel. If you use a Local Identity, you must use a Remote Identity on the other end of the tunnel.
    • Remote Identity: this is not required for connections with Static IP addresses, but you can use it if you’d like to. Make it whatever you want, this is the other end of the tunnel’s identity, but it must match the Local Identity on the other end of the tunnels settings. If you are using a Dynamic DNS domain service for your DHCP IP address from your carrier, you will want to add a Remote Identity here. This essentially adds an additional layer of security when initializing the secured tunnel. If you use a Remote Identity, you must use a Local Identity on the other end of the tunnel.
    • Pre-shared Key: Any password works here, it just must be the same on both ends of the tunnel.
    • Initiation Mode:
      • Always On is used if you want the router to initiate the tunnel connection whenever the WAN becomes available.
      • On Demand is used when you want the router to initiate the tunnel connection if and only if there is data traffic intended for the remote side of the tunnel.
    • Ensure the Tunnel Enabled checkbox is checked.
  • Step 6: Click Next.
  • Step 7: Configure Local Networks.
    • Click Add to specify a new Local Network.
    • Network Address: The network address of any LANs you want to be accessible across the VPN.
    • Subnet Mask: The Subnet Mask of the network described in the Network Address.
  • Step 8: Click Next.
  • Step 9: Configure the Remote Gateway and Networks.
    • Remote Gateway: The WAN IP of the device terminating the other end of the VPN tunnel.
    • Remote Networks: The network address of the LANs you wish to reach across the VPN tunnel.
    • Subnet Mask: The Subnet Mask of the network described in the Remote Networks.
  • Step 10: Click Next.
  • Step 11: Configure IKE Phase 1 settings.
    • Exchange Mode: Main should be used when both sides of the tunnel have Public WAN IP's. Aggressive is used when one side is a NAT'd IP.
    • Encryption: Select the Encryption Algorithm(s) you wish to use.
    • Hash: Select the Hash Algorithm(s) you wish to use.
    • DH Groups: Select the Diffie-Hellman Group(s) you wish to use.
    • Note: These setting will need to match the IKE Phase 1 settings on the other side of the tunnel.
    • Note: In 6.3.0 and newer the IKE Suite B presets are Suite B compliant sets of an Encryption, Hash, and Algorithm. Suite B compliance requires the use of IKEv2. See RFC 6379.
  • Step 12: Click Next.
  • Step 13: Configure IKE Phase 2 settings.
    • Perfect Forward Secrecy: Enabling this feature will require IKE to generate a new set of keys in Phase 2 rather than using the same key generated in Phase 1.
    • Encryption: Select the Encryption Algorithm(s) you wish to use.
    • Hash: Select the Hash Algorithm(s) you wish to use.
    • DH Groups: Select the Diffie-Hellman Group(s) you wish to use.
    • Note: These setting will need to match the IKE Phase 2 settings on the other side of the tunnel.
    • Note: In 6.3.0 and newer the IKE Suite B presets are Suite B compliant sets of an Encryption, Hash, and Algorithm. Suite B compliance requires the use of IKEv2. See RFC 6379.
  • Step 14: Click Next.
  • Step 15: Configure Dead Peer Detection settings as needed.
  • Step 16: Click Finish.

Logging

In 6.3.0 and newer, the Logging tab was added the the Networking>Tunnels>IPSec VPN page. On this tab you have the ability to enable verbose logging for the IPSec VPN tunnels to be shown in the System Logs.

By default all subsystems are set to log level 1. To configure logging click Add and select a Subsystem and Log Level.

Subsystems

  • default: The default encompasses all other subsystems.
  • app: applications other than daemons
  • asn: Low-level encoding/decoding (ASN.1, X.509)
  • cfg: Configuration management and plugins
  • chd: CHILD_SA/IPsec SA (IKE Phase 2)
  • dmn: Main daemon setup/cleanup/signal handling
  • enc: Packet encoding/decoding encryption/decryption operations (ESP)
  • esp: libipsec library messages
  • ike: IKE_SA/ISAKMP SA (IKE Phase 1)
  • imc: Integrity Measurement Collector
  • imv: Integrity Measurement Verifier
  • job: Jobs queuing/processing and thread pool management
  • knl: IPsec/Networking kernel interface
  • lib: libstrongwan library messages
  • mgr: IKE_SA manager, handling synchronization for IKE_SA access
  • net: IKE network communication
  • pts: Platform Trust Service
  • tls: libtls library messages
  • tnc: Trusted Network Connect

Log Levels

  • -1: Absolutely silent
  • 0: Very basic auditing log (for example: SA up/SA down)
  • 1: Generic control flow with errors(a good default to see whats going on)
  • 2: More detailed debugging control flow
  • 3: Including RAW data dumps in hex
  • 4: Also include sensitive material in dumps such as keys

Use Cases

General VPN Setup

VPN to Other Vendors


Related Articles/Links


Published Date: 07/14/2017


 
Knowledge Home | Product