NCOS: Cradlepoint Secure VPN-NAT (Powered by Asavie) Installation Guide
Products Supported: AER31x0, AER2100, AER 16x0, MBR1400v2, IBR11x0, and IBR6x0. Click here to identify your router.
NCOS Version: 6.0.0 - for information on upgrading NCOS Versions, click here.
Cradlepoint Secure VPN-NAT provides private data connectivity between your Cradlepoint LAN devices and a remote HQ network. This essentially allows any device connected to a Cradlepoint configured for Cradlepoint Secure VPN-NAT to access your office/remote network securely.
NOTE: CPSVPN requires NCM PRIME
The NAT WAN configuration steps described in the document above describe how to configure router for the following sample network:
- HQ Network: 10.10.0.0 /24
- vCPE installed on host: 10.10.0.10
- vCPE adapter IP address is 172.31.255.1
- Router IP range: 172.16.0.0 /24 [IP address assigned to the CPSVPN Tunnel by Asavie]
- Remote LAN Network: 192.168.0.0 /24
- Remote device connected to router: 192.168.0.85
Configuration Difficulty: Intermediate
NCM/CPSVPN Setup - NAT WAN
- Step 1: Select Applications -> CP Secure VPN -> Manage
- Step 2: Click Add, choose the router to assign the entitlement to and click Save.
- Step 3: Once all require routers are "entitled" select Advanced Settings.
- The CP Secure VPN Portal opens using SSO.
- Step 4: Chose NAT WAN.
- Step 5: Enter a Network IP Address to be used for routers (or accept the defaults). Click Next.
- Step 6: Specify a vCPE Name & IP Address (or accept the defaults). Click Next.
- Step 7: The vCPE download option & activation code will display (this may take a few seconds). The vCPE can be installed now or choose to "Skip" to install later.
- Step 8: Setup is complete. Click Next to continue.
- Step 9: The Portal opens on the Tunnels page. Details of entitled tunnels will be displayed. The next step is to return to NCM to configure the routers. Click <Back.
vCPE Software Install
First you need to install the vCPE software on a server/computer that is connected to the LAN that you wish to have remote access to. This server/computer should be "Always-On", and running a 32-bit or 64-bit version of Windows OS.
- Step 1: From the server/computer you wish to install the vCPE software on, open the vCPE agent installer you downloaded in Step 7 above.
- Step 2: Follow the installation wizard until prompted for an Activation Code. Use the Activation Code given in Step 7 above and hit Next, then install.
- Step 3: Once the vCPE Software is installed, we need to make sure both the vCPE Service (1) and Tunnel (2) are both Connected. Click on the "CP" Icon (3) in the System Tray to open the vCPE Software if it is not already open. If the vCPE (1) is showing as "Connected" but the Tunnel (2) is "Down", click Restart and the tunnel should connect following the restart. If you are having issues with the vCPE Software click here
Router Setup - NAT WAN
This section of the document describes how to configure the CPSVPN tunnel and required Zone Firewall options on a Cradlepoint IBR-600 model router via the Cradlepoint NetCloud Manager System. This configuration can also be done locally on the router.
- Step 1: Create a group in NCM for an AER2100 with 6.0.0 firmware and add a device to it. For instructions on how to setup a group in NCM please see this section of the NCM Getting Started article.
- Step 2: Select the newly created group, click on Configuration and then Edit.
- Step 3: Configure the Primary LAN. Select Networking -> Local Networks -> Local IP Networks. Check the box beside Primary LAN and click Edit.
- Step 4: Select IPv4 Settings. Set the required LAN IP range (all routers can use the same LAN IP range in the NAT WAN setup). Set the IPv4 Routing Mode to NAT, and click Submit.
- Step 5: The next steps will set up the IOT Tunnel connection on the Cradlepoint. Click on Networking -> Tunnels -> CP Secure VPN.
- Step 6: Under the CP Secure VPN, click on Add and enter the following details of the account:
- Tunnel name: CP Secure VPN
- Remote Gateway: iot-101.accessmylan.com (US)
- Port: 443
- Cerificate Name: CP Secure CA
- Ensure the Tunnel Enabled option is checked.
- Step 7: Click Next.
- Step 8: Add the local network(s) of the Cradlepoint LAN (defaulted to 192.168.0.0 /24) and then click Update.
- Step 9: Click Next.
- Step 10: Add the remote network ranges for the Tunnel.
- 172.31.255.0 /30 represents the default vCPE virtual network adapter. If you have selected a different vCPE adapter IP range you should enter this here.
- 10.10.0.0 /24 is the HQ Network.
- Step 11: Click on Finish to complete the setup.
- Step 12: Next we will configure the Zone Firewall Settings. Navigate to Security -> Zone Firewall -> Zone Definition.
- Step 13: Click on Add to add a new Zone to the firewall.
- Step 14: Give your Zone a Name, click Add once more to add the interface, click on WANand select CPSVPN from the drop down. Click the (any) and select the CP Secure VPN interface name.
- Step 15: Click Update and then click Save.
- Step 16: Now navigate to Security -> Zone Firewall -> Zone Forwarding.
- Step 17: Click Add and enter the following details:
- Check the box under Status to enable the Forwarding.
- Under Source Zone select the Zone that you created in Step 12. For the Destination Zone select WAN Zone and for Filter Policy select Default Allow All. Then click Update.
- Step 18: Now we need to add another Forwarding for the opposite. Click Add and enter the following details:
- Check the box under Status to enable the Forwarding.
- Under Source Zone select the WAN Zone, for the Desitnation Zone select the Zone that you created in Step 12, and for the Filter Policy select Default Deny All. Click Update.
- Step 19: To finalize the Group Configuration from ECM, click Commit Changes and then click OK.
- Step 20: Lastly we will perform a test to verify functionality. Initiate a ping from the "Remote device connected to the router" (192.168.0.85 in our sample network) towards the vCPE adapter address 172.31.255.1.
- Step 21: Initiate a ping from the vCPE host (10.10.0.10 in our sample network) towards the router on its Asavie-assigned IP address - you can check what this is in the CPSV portal, Tunnels page.
Zone NAT Settings (optional)
To facilitate access from the HQ network towards the remote devices we need to setup some "Zone NAT" rules.
For example, to forward the "Remote Desktop" port 3389, to allow access to RDP to a remote machine:
- Step 1: Navigate to Security -> Zone Firewall -> NAT.
Step 2: Click Add under NAT and enter the following settings:
- Source Zone Name: CPSVPN Zone (this is the zone you previously created)
- Inbound Port(s): 3389 -> 3389
- Local Computer: 192.168.0.85 (Enter the IP of the machine you want to RDP to)
- Local Port(s): 3389 -> 3389
- Protocol: TCP
Step 3: Click Submit, then click Commit Changes.
For vCPE Software installation Issues: Click Here
For Service or Tunnel Issues with the vCPE Software: Click Here
Published Date: 07/14/2017
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.