how to configure ipsec vpn between a cradlepoint router...

© 2014 CradlePoint Technology. All rights reserved. Information subject to change without notice.

How to configure IPSec VPN between a CradlePoint

router and a Fortinet router

Quick Links - Summary - Requirements

o Products Supported o Firmware Version o Assumptions

- Network Topology - Configuration

o CradlePoint Configuration o Fortinet Configuration

Summary This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between a Series 3

CradlePoint router and Fortinet router.

Requirements

Products Supported AER2100, MBR1400v2, IBR11x0, IBR6x0 and the MBR1200B Click here to identify your router.

Firmware Version 5.2.4 - for information on upgrading firmware, click here.

Assumptions • CradlePoint model AER2100, MBR1400, IBR11x0, IBR6x0, or MBR1200B.

• Fortinet router with 5.0 or newer (Example used is FortiWiFi 60D).

• Static publicly routable IP addresses on both the CradlePoint and Fortinet router.


Network Topology


Configuration

Configuration Difficulty: Intermediate

CradlePoint Configuration:

1. Log into the router's Setup Page. For help with logging in please click here.

2. Click on Internet and select VPN Tunnels from the drop-down menu.

3. Under VPN Tunnels click Add.


4. Enter a Tunnel Name.

5. Enter a Pre-Shared Key.

6. Click Next.


7. Under Local Networks click Add and enter the CradlePoint's LAN that you want to be accessible across the

tunnel.

8. Click Next.


9. Enter the Remote Gateway which is the WAN IP of the Juniper.

10. Under Remote Networks click Add and enter the Juniper's LAN that you want to be accessible across the

tunnel.

11. Click Next.


12. Select the desired IKE Phase 1 parameters.

• CradlePoint recommends AES-256 encryption, SHA1 hash, DH Group 1, and IKE Phase 1 key lifetime of 86400.

13. Click Next.


14. Select the desired IKE Phase 2 parameters.

• CradlePoint recommends AES-256 encryption, SHA1 hash, and DH Group 1, and Phase 2 key lifetime of

3600.

15. Click Next.


16. Configure Dead Peer Detection to your preferences.

• CradlePoint recommends keeping this setting enabled.

17. Click Finish.


18. On the Tunnel Summary screen, review the settings and make sure they are correct.

19. Click Yes to create the tunnel.


20. Under VPN Tunnels click Enable VPN Service.

Fortinet Configuration:

The Fortinet product in this example is the FortiWiFi 60D

21. On the Fortinet, go to VPN > IPsec >Auto Key (IKE). Select Create Phase 1. Set IP Address to the

IP of the Branch FortiGate, Local Interface to the Internet-facing interface, enter a Pre-shared

Key and select Security Proposal that match the CradlePoint’s settings.


22. Go to Firewall Objects > Address >Addresses. Create a local address. Set Type to Subnet,

Subnet/IP Range to the HQ subnet, and Interface to an internal port.

23. Create a remote LAN address. Set Type to Subnet, Subnet/IP Range to the Branch subnet, and

Interface to the VPN Phase 1.


24. Return to VPN > IPsec >Auto Key (IKE). Select Create Phase 2, set it to use the Phase 1, and click

Advanced. Set the correct Phase 2 security proposal, enable Autokey Keep Alive and Auto-

Negotiate. Select Source address as the Local LAN and Destination address as the Remote LAN.

25. Go to Policy > Policy > Policy. Create a policy for outbound traffic. Set Incoming Interface to the

internal port, Source Address to the Local LAN, Outgoing Interface to the VPN Phase 1, and

Destination Address to the Remote LAN.


26. Create a second policy for inbound traffic. Set Incoming Interface to the VPN phase 1, Source

Address to the Remote LAN, Outgoing Interface to the internal port, and Destination Address to

the Local LAN.

27. Go to Router > Static > Static Routes. Create a route for IPsec traffic, setting Device to the VPN

Phase 1. If the Router menu is not visible, go to System > Config > Features to ensure that

Advanced Routing is turned on.

how to configure ipsec vpn between a cradlepoint router...

Documents