IKEv2 EAP between NordVPN and Vigor Router

Since firmware version 3.9.0, Vigor Router also supports dialing out an IKEv2 EAP VPN tunnel to NordVPN server. This article introduces how to create IKEv2 EAP VPN tunnel from Vigor Router to NordVPN server in this document.

Note: Vigor2860/2925 support the feature since v3.8.9.4

1. You will need a NordVPN account. You may apply for a 3-day free trial NordVPN account via https://free.nordvpn.com/

a screenshot of NordVPN

2. Download the NordVPN root CA certificate from https://downloads.nordvpn.com/certificates/root.der

3. Get the NordVPN server domain from https://nordvpn.com/servers/
You may get a recommended server by selecting the country you located. In the following picture, de241.nordvpn.com is the hostname of the VPN server.

a screenshot of NordVPN Server settings

4. Log into the router's management page. Go to Certificate Management >> Trusted CA Certificate page, and click IMPORT. Click Choose File to select the root.der file we downloaded in step 2. Then, click Import.

a screenshot of DrayOS Trusted CA settings

5. Wait for few seconds until the router responds “Import Success” and the Certificate Status shows OK

a screenshot of DrayOS Trusted CA settings   

6. Go to VPN and Remote Access >> IPsec Peer Identity, edit a profile to for NordVPN server.

  1. Check Enable this account
  2. Select Accept Any Peer ID
a scressnshot of DrayOS IPsec Peer Identity Settings

7. Go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows. In Common Settings,

  1. Give it a profile name
  2. Check Enable this profile
  3. Set Call Direction to "Dial-Out"
  4. At Dial-Out Through, select the WAN interface for VPN connection
a screenshot of DrayOS VPN Client Settings

8. In Dial-Out Settings,

  1. Select IKEv2 EAP for the VPN server type
  2. Enter the domain of VPN server we get in step 3 at Server IP address/Hostname
  3. Enter Username (It is the mail address you used for applying the NordVPN account)
  4. Enter Password (It is the one you configured while activating the NordVPN trial service)
  5. Choose "Digital Signature" for IKE Authentication Method, and select the IPsec Peer Identity Profile created in step 6 for Peer ID
  6. Select "AES with Authentication" for IPsec Security Method
  7. Click Advanced
a screenshot of DrayOS VPN Client settings

9. Click Advanced button, In the IKE advanced settings pop-up windows, confgure:

  1. IKE phase 1 proposal as "AES256_SHA1_G14"
  2. IKE phase 2 proposal as "AES256_SHA1"
  3. IKE phase 1 key lifetime as "3600"
  4. IKE phase 2 key lifetime as "1200"
a screenshot of DrayOS IKE advanced settings

10. Click OK to close the window. At TCP/IP Network Settings:

  1. Enter Remote Network IP as ""
  2. Select Remote Network Mask to ""
  3. Change Routing to NAT for this VPN connection
  4. (optional) Enable Change Default Route to this VPN tunnel option if you want all traffic to NordVPN.
a screenshot of DrayOS VPN Settings

11. After finishing above settings, we can check the VPN status via VPN and Remote Access >> Connection Management page.

a screenshot of DrayOS VPN Dial-Out page

12. (optional) We can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, we can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.

a screenshot of cmd running command tracert

Note: In order to accept large packets from NordVPN, Allow pass inbound fragmented large packets (required for certain games and streaming) should be enabled.

necessary firewall setting

Published On: Nov 27, 2018 

Was this helpful?     

Related Articles