Create IPsec tunnels on a Cradlepoint Router

Complete this procedure to create an IPsec tunnel between your Cradlepoint router and SIA. This traffic is encrypted and directed to SIA proxy for inspection. For more information on IPsec, see Set up IPsec tunnels.

Before you begin

Make sure:

You have a Cradlepoint router and a NetCloud account. Your Cradlepoint router and NetCloud account must be active.
You have an active NetCloud Essentials subscription associated with your Cradlepoint router.
You complete preparation steps for SD-WAN setup. See Prepare for SD-WAN setup.
You must create IPsec credentials. The IKE identifier and the pre-shared key that you provide in SIA are required for this setup.

To configure your Cradlepoint router:

Log into your NetCloud Manager account (https://cradlepointecm.com/).
Navigate to your device or group, and select it.
In the menu, select Configuration > Edit. A window appears.
Under DNS Settings:
1. In the DNS Mode menu, select Static.
2. In the Primary DNS and Secondary DNS fields, enter the SIA DNS Server IP addresses. For more information, see View connection information.
3. Confirm that the remaining options are selected
4. Click Commit Changes.
  After the changes are committed, SIA begins receiving DNS traffic from the Cradlepoint router.

Configure the IPsec tunnel:

Return to the device or group that you selected in step 2.
In the menu, select Configuration > Edit.
Select Navigation > Tunnels > IPsec VPN.

Click Add and complete the steps as described in this table:

Field	Step
Tunnel Name	Enter a name for the tunnel
Mode	Select Tunnel.
IKE Version	Select IKEv2
Local Identity	Select User FQDN and in the provided field, enter the IKE identifier that you created in SIA. For more information, see Configure IPsec credentials in SIA.
Authentication Mode	Select Pre-Shared Key. This is the pre-shared key that you created and provided in SIA. For more information, see Prepare for SD-WAN setup.
Initiation Mode	Select Always On.
Enable Tunnel	Confirm that Enable Tunnel is selected.

Click Next.

Click Next.
Configure the Remote Gateway settings:
1. In the Gateway field, enter the IPsec primary domain: primary.ipsec.akaetp.net.
2. In the Remote Networks section, add one or more entries for the specific routing your organization requires. For example, you can configure policy-based routing, default routing, or more specific routing.
3. To direct all web traffic to SIA, you can leave the port fields with the default Any value. Optionally, you can add individual default network entries to specify web traffic for ports 80, 443, or both.
4. Click Next.
Configure the IKE Phase 1 settings:
1. In the Group section, select Group 14. Make sure no other group is selected.
2. Click Next.
Configure the IKE Phase 2 settings:
1. In the Group section, select Group 14. Make sure no other group is selected.
2. Click Next.
Click Finish.
Review tunnel settings. Tunnel settings should resemble this graphic:
Click Commit Changes.
Repeat steps 5-12 for the secondary tunnel. Provide the IPsec secondary domain (secondary.ipsec.akaetp.net) in the Remote Gateway settings.

Next Steps

Validate your configuration. See Verify the tunnel configuration.

Verify the tunnel configuration

Complete these steps to confirm that the tunnels connect to SIA and send traffic as expected.

To verify your tunnel configuration:

Go to the device or group where you configured the tunnels, and select it.
In the Remote Connect menu, select Connect to Device UI.
From the navigation menu, select Networking > Tunnels > IPsec VPN. Review the tunnel configuration.
From the navigation menu, select Status > Tunnels > IPsec VPN. View the IPsec VPN tunnel status.
Review the system logs:
1. In the navigation menu, select Status > System Logs.
2. Review the logs to make sure there are no connection issues.
Check the IPsec Activity report in SIA to ensure that traffic is flowing through the tunnels. You can also view the DNS Activity and Proxy Activity reports.