Your IP: Unknown · Your Status: Unprotected Protected

IKEv2

This tutorial is officially written by Mikrotik. You can find the original tutorial here.

Since firmware version v6.45, Mikrotik routers support dialing out an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can create an IKEv2 EAP VPN tunnel from Mikrotik router to a NordVPN server.

  1. Open the terminal on your RouterOS settings.
  2. Install the NordVPN root CA certificate by running the commands below:

    /tool fetch url="https://downloads.nordvpn.com/certificates/root.der"

    /certificate import file-name=root.der

  3. Navigate to https://nordvpn.com/servers/tools/ and find out the recommended server's hostname. In our case, it is nl125.nordvpn.com.

  4. Now you have to set up the IPsec tunnel. It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to not interfere with any existing or future IPsec configuration:

    /ip ipsec profile
    add name=NordVPN

    /ip ipsec proposal
    add name=NordVPN pfs-group=none

    While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.

    /ip ipsec policy group
    add name=NordVPN

    /ip ipsec policy
    add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

  5. Create a new mode config entry with responder=no that will request configuration parameters from the server:

    /ip ipsec mode-config
    add name=NordVPN responder=no

  6. Create peer and identity configurations. Specify your NordVPN credentials in username and password parameters:

    /ip ipsec peer
    add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN

    /ip ipsec identity
    add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNUsername password=YourNordVPNPassword

  7. Now you have to choose what to send over the VPN tunnel. In this example, we have a local network 10.5.8.0/24 behind the router and we want all traffic from this network to be sent over the tunnel. First of all, we have to make a new IP/Firewall/Address list which consists of our local network.

    /ip firewall address-list
    add address=10.5.8.0/24 list=local

    Assign newly created IP/Firewall/Address list to mode config configuration:

    /ip ipsec mode-config
    set [ find name=NordVPN ] src-address-list=local

  8. Verify correct source NAT rule is dynamically generated when the tunnel is established.

    /ip firewall nat print