Cradlepoint IBR350 User Manual page 30

User Manual / IBR350 5/6/16
networks to function as one network. The two networks set up a secure connection across the (normally)
unsecure Internet by assigning VPN encryption protocols.
Cradlepoint VPN tunnels use IPsec (Internet Protocol security) to authenticate and encrypt packets exchanged
across the tunnels. To set up a VPN tunnel with a Cradlepoint router on one end, there must be another device
(usually a router) that also supports IPsec on the other end.
IKE (Internet Key Exchange) is the security protocol in IPsec. IKE has two phases, phase 1 and phase 2. The
router has several different security protocol options for each phase, but the default selections will be
sufficient for most users.
The VPN tunnel status page allows you to view the state of the VPN tunnels. If a tunnel fails to connect to the
remote site, check the System Logs for more information. You may double click on a cell to directly edit that
information.
Click Add to configure a new VPN tunnel; click Edit to make changes to an existing tunnel.
Add/Edit Tunnel – General
Tunnel Name: Give the tunnel a name that uniquely
identifies it.
Anonymous Mode: Select to allow remote connections
from any IP address.
Responder Mode: When enabled, the router will not
initiate negotiation with peers.
Local Identity: Specifies the identifier sent to the
remote host during phase 1 negotiation. If left blank it
will default to the IP address of the WAN connection.
Currently we only support identifiers in the form of an
IP address, a user-fully qualified domain name (user@
mydomain.com) or just a fully qualified domain name
(www.mydomain.com). If the remote side of the tunnel
is configured to expect an identifier, then both must
match in order for the negotiation to succeed. If NAT-T is being used, a single word (instead of an address) can
be used if a DynDNS connection is not being used.
Remote Identity: Specifies the identifier we expect to receive from the remote host during phase 1
negotiation. If no identifier is defined then no verification of the remote peer's identification will be done.
Currently we only support identifiers in the form of an IP address, a user-fully qualified domain name (user@
mydomain.com) or just a fully qualified domain name (www.mydomain.com). If left blank we will default to the
IP address of the WAN connection. If NAT-T is being used, a single word (instead of an address) can be used if a
DynDNS connection is not being used.
Authentication Mode: Select from Pre-Shared Key and Certificate. Pre-Shared Key is used when there is a
single key common to both ends of the VPN. Certificate requires the creation of a set of certificates and a
private key that can be uploaded to the router. Select Enable Certificate Support in the Global VPN Settings
section to upload a single set of certificates for the router to use.
Pre-Shared Key: Create a password or key. The routers on both sides of the tunnel must use this same key.
Mode: Select from Tunnel, Transport or VTI-Tunnel. Tunnel Mode is used for protecting traffic between
different networks, when traffic must pass through an intermediate, untrusted network. Transport Mode is
used for end-to-end communications (for example, for communications between a client and a server). VTI
Tunnel creates a virtual tunnel interface with a specified virtual IP address. This interface can then be added to
the zone firewall.
30
©2016 Cradlepoint. All Rights Reserved. | +1.855.813.3385 | cradlepoint.com