Knowledge Base

 
Reset Search
 

 

Article

NCOS: VPN Quick Start Guide for Capable Cradlepoint Products

« Go Back

Information

 
Content

NCOS: VPN Quick Start Guide for capable Cradlepoint products

Products Supported: AER3100, AER2200, AER2100, AER16x0, MBR1400, MBR1200B, IBR6x0, IBR6x0B, IBR6x0C, IBR11x0, IBR 9x0. See Identify Cradlepoint Products​ to identify your device.

NCOS Version: 6.3 - for information on upgrading NCOS Versions, see the Cradlepoint Firmware Policy FAQ.


Quick Links

Summary

Configuration

Logging

Use Cases

Related Articles


Summary

This article provides a general explanation of how to setup a VPN tunnel. Below is a table of the tunnel limitations per model. 

Note: this table does not apply to tunnels in anonymous mode.

ModelMax Configurable IPSec TunnelsMax Local Networks Per TunnelMax Remote Networks Per Tunnel
AER31x0401010
AER2200201010
AER21x0201010
AER16x0201010
COR IBR11x0555
COR IBR9x0101010
COR IBR6x0C555
COR IBR6x0B555
COR IBR6x0555
COR IBR350222
MBR1200B222


Configuration

Configuration Difficulty: Intermediate

1. Log into NCOS. For help with logging in see NCOS: Accessing the Setup Pages of a CradlePoint router.

2. Click on Networking, select Tunnels, and then select IPSec VPN.

NCOS IPSec VPN tunnel page
 
3. Click the Global Settings tab, select Enable VPN Service, and then click Save.
 
NCOS IPSec VPN tunnel page Global settings
 
4. Click the Tunnels tab, and then click Add.
 
NCOS IPSec VPN tunnel page - add tunnel

5. Configure the General settings for the VPN tunnel:

NCOS IPSec VPN tunnel page general settings

  • Tunnel Name: Use a simple but descriptive name for the tunnel so you can easily reference it.
  • Mode: Select from the following modes:
    • Tunnel: Used to protect traffic between different networks, when traffic must pass through an intermediate, untrusted network.
    • Transport: For end-to-end communications (for example, for communications between a client and a server).
    • VTI Tunnel: Creates a virtual tunnel interface with a specified virtual IP address. This interface can then be added to the zone firewall.
  • IKE Version (Added in 6.3.0): This determines which version of the Internet Key Exchange your VPN will use. IKEv2 includes Mobike and requires your device to be licensed for the feature. IKEv1 will work with no licensing. Selecting both allows the router to respond to IKEv1 initiation requests but always initiates with IKEv2.
  • IKEv2 Settings: Enables Mobile IKE on IKEv2 connections. This allows mobile clients to migrate established IPsec tunnels even if the client IP address changes.
  • Anonymous Mode: Allow remote connections from any IP address.
  • Responder Mode: When enabled, the router will not initiate negotiation with peers.
  • Inactivity Timeout: Time in seconds to wait after no activity is detected before terminating Child SA.
  • Local Identity: This is not required for connections with Static IP addresses, but you can use it if you’d like to. Make it whatever you want, this is your identity, but it must match the Remote Identity on the other end of the tunnels settings. If you are using a Dynamic DNS domain service for your DHCP IP address from your carrier, add a Local Identity here. This adds an additional layer of security when initializing the secured tunnel. If you use a Local Identity, you must use a Remote Identity on the other end of the tunnel.
  • Remote Identity: This is not required for connections with Static IP addresses, but you can use it if you’d like to. Make it whatever you want, this is the other end of the tunnel’s identity, but it must match the Local Identity on the other end of the tunnels settings. If you are using a Dynamic DNS domain service for your DHCP IP address from your carrier, you will want to add a Remote Identity here. This essentially adds an additional layer of security when initializing the secured tunnel. If you use a Remote Identity, you must use a Local Identity on the other end of the tunnel.
  • Authentication Mode: Use Pre-Shared Key when there is a single key common to both ends of the VPN. Certificate requires the creation of a set of certificates and a private key. Select with certificate to use via Global VPN Settings. Certificates are managed under Security > Certificate Management.
  • Pre-shared Key: Any password works here, but it must be the same on both ends of the tunnel.
  • Protocol: Upper-layer protocol to match. The following protocols can be set: ICMP, TCP, UDP, GRE or Any. Any includes all of the previously mentioned protocols.
  • Initiation Mode:
    • Use Always On to allow the router to initiate the tunnel connection whenever the WAN becomes available.
    • Use On Demand to allow the router to initiate the tunnel connection if and only if there is data traffic intended for the remote side of the tunnel.
  • Enable Tunnel: Enable/Disable this tunnel. Disabled tunnels are not activated by failover policy.
6. Ensure the Enable Tunnel checkbox is checked, and then click Next.​

7. Configure the Local Gateway and Local Networks:

NCOS IPSec VPN tunnel page - add tunnel

Local Gateway:

  • WAN Binding: WAN Binding is an advanced optional parameter used to configure a VPN tunnel to ONLY operate when the specified WAN device(s) are available and connected.
  • Invert Binding: Advanced option that inverts the meaning of WAN Binding to only establish this tunnel when the specified WAN Binding device(s) are NOT connected.
  • Interface IP Mode: Interface IP Mode is the method an IP address is assigned to the IPSec virtual interface.
  • Interface IP: IP address to assign to the IPSec virtual interface. If left blank, the IP address is automatically assigned according to the Interface IP Mode.
  • Interface NAT: Forces all traffic routed through the IPSec interface to be NAT'd to the specified interface IP.
  • Interface MTU: MTU for this VTI. Leave this blank to use path MTU discovery.

Local Networks:

Click Add to specify a new Local Network.

  • Network Address: The network address of any LANs you want to be accessible across the VPN.
  • Port: (optional) A port can be defined that will limit the traffic going through the VPN tunnel to only that port. If the field is left blank, that denotes All or Any ports will be accepted.
  • NAT to Address: (optional) A NAT to address can be defined to translate the source address of all traffic from the local network.
  • Exclude: (optional)  Use to exclude this network from the IPSec VPN.​​

8. Click Next after configuring the local gateway and local networks.

9. Configure the Remote Gateway and Remote Networks:

NCOS IPSec VPN tunnel page remote gateway

Remote Gateway:

  • Gateway: The gateway’s IP address or fully qualified domain name.
  • Port: (optional) Enter the remote port for ISAKMP traffic.  
  • Force UDP Encapsulation: Forces this endpoint to encapsulate IPSec traffic in UDP by faking NAT-Traversal.

Remote Network:

  • Router Services: Delays initiation of router-generated traffic (e.g. DNS) until the IPSec VPN tunnel is established and forwards all router-generated traffic through the tunnel.
  • Don’t forward DHCP broadcast: Check this to prevent local DHCP broadcast traffic from being forwarded through the VPN tunnel.

10. Click Next after configuring the remote gateway and remote networks.

11. Configure the IKE Phase 1 settings:

NCOS IPSec VPN tunnel page IKE1 settings

  • Exchange Mode: Main should be used when both sides of the tunnel have Public WAN IP's. Aggressive is used when one side is a NAT'd IP.
  • Key Lifetime (Secs): The lifetime of the generated keys of Phase 1 of the IPSec negotiation from IKE. After the time has expired, IKE will renegotiate a new set of Phase 1 keys.
  • Encryption: Select the Encryption Algorithm(s) you wish to use.
  • Hash: Select the Hash Algorithm(s) you wish to use.
  • Group: Select the Diffie-Hellman Group(s) to use.
  • Suite B Presets: Select IKE Suite B presets. See RFC 6379. Suite B compliance requires the use of IKEv2.

Note: These setting must match the IKE Phase 1 settings on the other side of the tunnel.

Note: In 6.3.0 and newer the IKE Suite B presets are Suite B compliant sets of an Encryption, Hash, and Algorithm. Suite B compliance requires the use of IKEv2. See RFC 6379.

12. Click Next after configuring the IKE Phase 1 settings.

13. Configure the IKE Phase 2 settings:

NCOS IPSec VPN tunnel page IKE2 settings

  • Perfect Forward Secrecy: Enabling this feature will require IKE to generate a new set of keys in Phase 2 rather than using the same key generated in Phase 1.
  • Key Lifetime (Secs): The lifetime of the generated keys of Phase 2 of the IPSec negotiation from IKE. After the time has expired, IKE will renegotiate a new set of Phase 2 keys.
  • Push Network Ranges: Push an IP from this network range when an IPSec client request an IP via mode config or configuration payload.
  • Peer List Name: Name or Host Address Identity to map IPSec peer IPs as they come online. These lists can be used in routing protocols.
  • Encryption: Select the Encryption Algorithm(s) you wish to use.
  • Hash: Select the Hash Algorithm(s) you wish to use.
  • Group: Select the Diffie-Hellman Group(s) to use.
  • Suite B Presets: Select ESP Suite B presets. See RFC 6379. Suite B compliance requires the use of IKEv2. The use of GMAC Suite B algorithms provides NO encryption and integrity protection only.

Note: These settings must match the IKE Phase 2 settings on the other side of the tunnel.

Note: In 6.3.0 and newer the IKE Suite B presets are Suite B compliant sets of an Encryption, Hash, and Algorithm. Suite B compliance requires the use of IKEv2. See RFC 6379.

14. Click Next after configuring the IKE Phase 2 settings.

15. Configure the Dead Peer Detection settings:

NCOS IPSec VPN tunnel page dead peer detection settings

Use the Dead Peer Detection settings to define if and how the router will detect when one end of the IPSec session loses connection while a policy is in use.

  • Connection Idle Time: defines the period time interval with which Dead Peer Detection packets are sent to the peer.
  • Request Period: Determine the total delay before declaring the tunnel dead. Total IKEv1 DPD delay equals Request Period * Maximum Requests.
  • Maximum Requests: Specifies the number of request periods with unacknowledged DPD packets before the tunnel is considered dead. Total IKEv1 DPD delay equals Request Period * Maximum Requests.
  • Failback Retry Period: How often the router should check to see if the failback tunnel can be reestablished.
  • Failover Tunnel: Name of the tunnel to activate when this tunnel fails. Leave blank for no failover.
  • Failback Tunnel: Name of the tunnel used to fail back from this tunnel if activated via a failover policy.
16. Click Finish to save the tunnel.
 

Logging

In 6.3.0 and newer, the Logging tab was added the Networking > Tunnels > IPSec VPN page. On this tab you have the ability to enable verbose logging for the IPSec VPN tunnels to be shown in the System Logs.

By default all subsystems are set to log level 1. To configure logging, click Add and then select a Subsystem and Log Level.

Subsystems

  • default: The default encompasses all other subsystems.
  • app: applications other than daemons
  • asn: Low-level encoding/decoding (ASN.1, X.509)
  • cfg: Configuration management and plugins
  • chd: CHILD_SA/IPsec SA (IKE Phase 2)
  • dmn: Main daemon setup/cleanup/signal handling
  • enc: Packet encoding/decoding encryption/decryption operations (ESP)
  • esp: libipsec library messages
  • ike: IKE_SA/ISAKMP SA (IKE Phase 1)
  • imc: Integrity Measurement Collector
  • imv: Integrity Measurement Verifier
  • job: Jobs queuing/processing and thread pool management
  • knl: IPsec/Networking kernel interface
  • lib: libstrongwan library messages
  • mgr: IKE_SA manager, handling synchronization for IKE_SA access
  • net: IKE network communication
  • pts: Platform Trust Service
  • tls: libtls library messages
  • tnc: Trusted Network Connect

Log Levels

  • -1: Absolutely silent
  • 0: Very basic auditing log (for example: SA up/SA down)
  • 1: Generic control flow with errors(a good default to see whats going on)
  • 2: More detailed debugging control flow
  • 3: Including RAW data dumps in hex
  • 4: Also include sensitive material in dumps such as keys

Use Cases

General VPN Setup

VPN to Other Vendors


Related Articles/Links


Published Date: 07/14/2017

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255