Vigor Router to NordVPN server - IKEv2 EAP
NordVPN server is a famous cloud VPN server which supports VPN protocols, such as PPTP, L2TP over IPsec, OpenVPN and IKEv2. DrayTek's PPTP and L2TP/IPsec VPN has been listed in NordVPN's compatible list. Since firmware version 3.9.0, Vigor Router supports dialing out IKEv2 EAP VPN tunnel to NordVPN server. We will introduce how to create IKEv2 EAP VPN tunnel from Vigor Router to NordVPN server in this document.
NordVPN Server Setup
1. Apply a trial NordVPN account via https://free.nordvpn.com/
2. Activate your trial NordVPN account by the activation email.
3. Download the NordVPN root CA certificate from https://downloads.nordvpn.com/certificates/root.der
4. Select the preferred NordVPN server from https://nordvpn.com/servers/
You may select the country you located and NordVPN will recommend you a server.
In the following picture, de241.nordvpn.com is the recommended NordVPN server.
5.Go to Certificate Management >> Trusted CA Certificate page and click IMPORT.
6. Click Choose File to select the root.der file we downloaded from https://downloads.nordvpn.com/certificates/root.der in step 3. then click Import.
7. Wait for few seconds. Vigor Router will respond “Import Success” and we can see the Certificate Status is OK.
8. Go to VPN and Remote Access >> IPsec Peer Identity page, edit a profile to add an identity profile for NordVPN server.
Click Enable this account and select Accept Any Peer ID.
9. Go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.
a. In Common Settings,
-Give it a profile name and Enable this profile
-Set Call Direction to Dial-Out
-Select WAN interface that the VPN will Dial-Out Through.
b. In Dial-Out Settings,
-Select IPsec Tunnel and IKEv2
-Select IPsec EAP as the VPN server type
-Enter the VPN server IP address/ Hostname (It is the server we selected in step 4.)
-Enter the Username and Password. (Username is the mail address you used for applying the NordVPN account; Password is the one you configured during activating the NordVPN trial service.)
-Choose Digital Signature and select the Ipsec Peer Identity Profile we created for NordVPN server in step 8 for Peer ID.
-Select AES with Authentication as IPsec Security
-Click Advanced button for configuring advanced IKE/ IPsec Settings
In IKE advanced settings page, please configure
- IKE phase 1 proposal as AES256_SHA1_G14
- IKE phase 2 proposal as AES256_SHA1
- IKE phase 1 key lifetime 3600
- IKE phase 2 key lifetime 1200
c. In TCP/IP Network Settings:
-Enter Remote Network IP /Mask as 0.0.0.0/00
-Select NAT for this VPN connection
-Enable Change Default Route to this VPN tunnel option if you want all traffics to go with NordVPN server.
10. After finishing above settings, we can check the VPN status via VPN and Remote Access >> Connection Management page.
11. We can create Policy Route via Routing >> Load-Balance/Route Policy to define some specific traffic to go via the NordVPN tunnel.
12. We can use command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.