Scribd
Upload
370 views9 pages

How To Configure IPSec VPN Between A CradlePoint Router and A Fortinet Router

Uploaded by

legifas948
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
370 views9 pages

How To Configure IPSec VPN Between A CradlePoint Router and A Fortinet Router

Uploaded by

legifas948
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

How to configure IPSec VPN between a CradlePoint

router and a Fortinet router

Summary
This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between a Series 3
CradlePoint router and Fortinet router.

Requirements

Products Supported

AER3100, AER2100, MBR1400v2, IBR11x0, IBR6x0 and the MBR1200B Click here to identify your router.

Firmware Version

6.0.1 - for information on upgrading firmware, click here.

Assumptions

 CradlePoint model AER2100, MBR1400, IBR11x0, IBR6x0, or MBR1200B.


 Fortinet router with 5.0 or newer (Example used is FortiWiFi 60D).
 Static publicly routable IP addresses on both the CradlePoint and Fortinet router.

Global Leader in 4G LTE Network Solutions


1
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
Network Topology

Global Leader in 4G LTE Network Solutions


2
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
Configuration
Configuration Difficulty: Intermediate

CradlePoint Configuration:

1. Log into the router's Setup Page. For help with logging in please click here.
2. Click on Networking and select Tunnels and then IPSec VPN.

3. Under IPSec VPN Tunnels click Add.


4. Enter a Tunnel Name.
5. Enter a Pre-Shared Key.
6. Click Next.

Global Leader in 4G LTE Network Solutions


3
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
7. Under Local Networks click Add and enter the CradlePoint's LAN that you want to be accessible across the
tunnel.
8. Click Next.

9. Enter the Remote Gateway which is the WAN IP of the Fortinet.


10. Under Remote Networks click Add and enter the Fortinet's LAN that you want to be accessible across the tunnel.
11. Click Next.

Global Leader in 4G LTE Network Solutions


4
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
12. Select the desired IKE Phase 1 parameters.
 CradlePoint recommends AES-256 encryption, SHA1 hash, DH Group 1, and IKE Phase 1 key lifetime of 86400.
13. Click Next.

14. Select the desired IKE Phase 2 parameters.


 CradlePoint recommends AES-256 encryption, SHA1 hash, and DH Group 1, and Phase 2 key lifetime of
3600.
15. Click Next.

16. Configure Dead Peer Detection to your preferences.


 CradlePoint recommends keeping this setting enabled.
17. Click Finish.

Global Leader in 4G LTE Network Solutions


5
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
18. Under Global VPN Settings check Enable VPN Service and hit Save.

Fortinet Configuration:
The Fortinet product in this example is the FortiWiFi 60D
19. On the Fortinet, go to VPN > IPsec >Auto Key (IKE). Select Create Phase 1. Set IP Address to the IP
of the Branch FortiGate, Local Interface to the Internet-facing interface, enter a Pre-shared Key
and select Security Proposal that match the CradlePoint’s settings.

20. Go to Firewall Objects > Address >Addresses. Create a local address. Set Type to Subnet,
Subnet/IP Range to the HQ subnet, and Interface to an internal port.

Global Leader in 4G LTE Network Solutions


6
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
21. Create a remote LAN address. Set Type to Subnet, Subnet/IP Range to the Branch subnet, and
Interface to the VPN Phase 1.

22. Return to VPN > IPsec >Auto Key (IKE). Select Create Phase 2, set it to use the Phase 1, and click
Advanced. Set the correct Phase 2 security proposal, enable Autokey Keep Alive and Auto-
Negotiate. Select Source address as the Local LAN and Destination address as the Remote LAN.

Global Leader in 4G LTE Network Solutions


7
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
23. Go to Policy > Policy > Policy. Create a policy for outbound traffic. Set Incoming Interface to the
internal port, Source Address to the Local LAN, Outgoing Interface to the VPN Phase 1, and
Destination Address to the Remote LAN.

24. Create a second policy for inbound traffic. Set Incoming Interface to the VPN phase 1, Source
Address to the Remote LAN, Outgoing Interface to the internal port, and Destination Address to
the Local LAN.

25. Go to Router > Static > Static Routes. Create a route for IPsec traffic, setting Device to the VPN
Phase 1. If the Router menu is not visible, go to System > Config > Features to ensure that Advanced
Routing is turned on

Global Leader in 4G LTE Network Solutions


8
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com
.

Global Leader in 4G LTE Network Solutions


9
805 W. Franklin Street Boise, ID 83702 | Toll Free: +1.855.813.3385 | Local: +1.208.424.5054 | Fax: +1.208.429.6852 | cradlepoint.com

You might also like