If you are unsure of CradlePoint Series or Model number, please click here.
This article was written based on firmware version 2.2.1.
The CradlePoint products that this article refers to are in the End of Life process, there will be no further firmware updates for any of these products. All Knowledgebase articles related to these products have received their final update. To view our current product line, please visit https://cradlepoint.com/products.
A Virtual Private Network (VPN) is a virtual private network that interconnects remote (and often geographically separate) networks through primarily public communication infrastructures such as the Internet. This article explains how to set up a basic IPSEC VPN-terminated tunnel between two CradlePoint MBR1200 routers when the connections on both routers are configured with publicly routable IP addresses.
These directions assume that you are using a static IP address on both sides of the IPSEC tunnel. If one or both routers are configured with a dynamic publicly routable IP address using a dynamic DNS service, use the dynamic DNS hostname instead of the static IP address and make sure that “Aggressive Mode” is checked.
For assistance configuring Series 3 CradlePoint routers, refer to VPN setup example for static IP address connections, VPN setup example for dynamic IP address connections”, VPN NAT-T setup
Before getting started, first make sure that both CradlePoint routers are online and are properly obtaining static IP addresses from your ISP(s). Additionally, you will need to make sure that the local networks of the routers do not match. For example, if Router #1 is already set up using the default network of 192.168.0.1, you would want to change Router #2's local network to use a different private network (such as 192.168.100.1 or 172.16.0.1). For assistance changing the local IP address of the CradlePoint MBR1200 router, please refer to this article: How to change the router's local IP address.
For maximum compatibility, we also recommend making sure that the CradlePoint routers’ firmwares are upgraded to the most recent version. The most recent CradlePoint firmware files can always be downloaded from http://www.cradlepoint.com/firmware.
After verifying that both CradlePoint routers are online with routable static IP addresses, and after verifying that both routers have been configured on different local subnets, the directions below will help configure a VPN tunnel between the two routers.
This is an example setup where both routers have routable static WAN IP addresses. Computer #1 is connected behind Router #1 and Computer #2 is connected behind Router #2.
Router #1 Setup
LAN IP address: 172.16.20.1
LAN subnet mask: 255.255.0.0
WAN IP address: [the static IP address on router #1]
Computer #1: 172.16.123.106
Router #2 Setup
LAN IP address: 192.168.0.1
LAN subnet mask: 255.255.255.0
WAN IP address: [the static IP address on router #2]
Computer #2: 192.168.0.199
A typical VPN tunnel between these routers would allow Computer #1 (and other computers getting addresses from Router #1) to be able to connect directly to Computer #2 (and other computers getting addresses from Router #2) using a secure tunnel across the unsecure public Internet.
Router #1 VPN configuration Steps:
1. [Router #1] Log into the CradlePoint’s admin console on Router #1.
2. [Router #1] Click “TOOLS” -> “IPSEC VPN”
3. [Router #1] Enter your IPSEC policy into the “ADD IPSEC POLICY” section.
Give the tunnel a unique (to that router) Name
Leave the Remote Identity field blank. The default settings for the Hash Algorithm, Cipher Algorithm, DH Group, Phase 1 & 2 Key Lifetimes should work fine when connecting to another MBR1200. Any other settings should also work as long as both sides are configured the same.
Choose a Pre-Shared Key for the IPSEC tunnel. Both routers will need to have the same Pre-Shared Key.
If both routers connect to the Internet with static IP addresses, disable Aggressive Mode. If one or the other router connects using a dynamic DNS hostname, leave Aggressive Mode checked.
Leave Perfect Forward Secrecy (PFS) and Dead Peer Detection enabled, as well as the timeout values below.
After entering your settings, click “Add Policy” to add the policy to the IPSEC POLICY LIST.
4. Once your IPSEC policy has been added, click Save Settings at the top of the page, then click Reboot Now.
Router #1 is now configured to connect to the IPSEC VPN tunnel. Now you will need to set up Router #2 with the corresponding settings.
Router #2 VPN configuration Steps:
1. [Router #2] Log into the CradlePoint’s admin console on Router #2.
2. [Router #2] Click TOOLS in the red bar, and then IPSEC VPN
3. [Router #2] Enter your IPSEC policy into the ADD IPSEC POLICY section.
Give the tunnel a unique (to that router) “Name”.
Again, leave the Remote Identity field blank. The default settings for the Hash Algorithm, Cipher Algorithm, DH Group, Phase 1 & 2 Key Lifetimes should work fine when connecting to another MBR1200.
Use the same Pre-Shared Key that you entered into Router #1.
If both routers connect to the Internet with static IP addresses, disable Aggressive Mode. If one or the other router connects using a dynamic DNS hostname, leave Aggressive Mode checked. Both routers will need to have the same setting.
Again, leave Perfect Forward Secrecy (PFS) and Dead Peer Detection enabled, as well as the timeout values below.
After entering your settings, click Add Policy to add the policy to the IPSEC POLICY LIST.
4. Once the VPN tunnel has been configured and enabled, any traffic bound for the “remote network” will be sent across the VPN rather than being handled locally. You can view the status of the IPSEC VPN tunnel at STATUS in the red bar, and then IPSEC VPN.
This example VPN shows how to make local networks available across a VPN. If you need to have other local or public networks routed across the VPN, these networks will need to be added into the “Remote Gateway” settings for the router sending the traffic across the VPN.
For example, if the “Remote Gateway” in Router #2’s VPN configuration was changed from 172.16.0.0/255.255.0.0 to 0.0.0.0/0.0.0.0, this would force all Internet traffic coming from Router #2 to be sent across the VPN rather than being handled by Router #2’s WAN source.
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.