This tutorial is officially written by DrayTek. You can find the original tutorial here.
Since firmware version v3.9.0, Vigor Router supports dialing out an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial shows how you can create an IKEv2 EAP VPN tunnel from Vigor Router to a NordVPN server.
Note: Vigor 2860/2925 support the feature since v220.127.116.11.
- Download the NordVPN root CA certificate from this link: https://downloads.nordvpn.com/certificates/root.der.
- Get the hostname of a NordVPN server of your choice. You may find a recommended server on this page: https://nordvpn.com/servers/tools/.
In the following picture, the hostname of the VPN server is de241.nordvpn.com:
- Log into the router's management page. Go to Certificate Management >> Trusted CA Certificate page, and click IMPORT. Click Choose File to select the root.der file we downloaded in step 1. Then, click Import.
- Wait for a few seconds until the router responds Import Success and the Certificate Status shows OK.
- Go to VPN and Remote Access >> IPsec Peer Identity, set the profile name to NordVPN.
- Check Enable this account
- Select Accept Any Peer ID
- Go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.
In Common Settings:
- Give it a profile name
- Check Enable this profile
- Set Call Direction to "Dial-Out"
- At Dial-Out Through, select the WAN interface for VPN connection
- In Dial-Out Settings:
- Select IPsec Tunnel and IKEv2
- Select IPsec EAP for the VPN server type
- Enter the domain of the VPN server you got in step 2 at Server IP address/Hostname
- Enter your NordVPN account Username
- Enter your NordVPN account Password
- Choose Digital Signature for IKE Authentication Method and select the IPsec Peer Identity Profile created in step 5 for Peer ID
- Select AES with Authentication for IPsec Security Method
- Click Advanced
- In the IKE advanced settings pop-up window, configure the following:
- IKE phase 1 proposal as AES256_SHA1_G14
- IKE phase 2 proposal as AES256_SHA1
- IKE phase 1 key lifetime as 3600
- IKE phase 2 key lifetime as 1200
- Click OK to close the window. At TCP/IP Network Settings:
- Enter Remote Network IP as 0.0.0.0
- Select Remote Network Mask to 0.0.0.0/00
- Change Routing to NAT for this VPN connection
- (optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN.
- After finishing the above settings, you can check the VPN status via VPN and Remote Access >> Connection Management page.
- (optional) You can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, you can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.