V. VPN (Virtual Private Networking)

NordVPN: How to connect a DrayTek VPN router with IKEv2 EAP

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

Keywords:
IKEV2 EAP
Nord VPN
X.509
certificate
Show all

Many DrayTek Vigor routers support VPN tunnels with IPsec IKEv2 and EAP authentication. IPsec IKEv2 is a fast and secure VPN protocol and with EAP for authentication, the router can utilise X.509 certificates to ensure that the connection is established only with trusted hosts.

This article demonstrates how to create an IKEv2 EAP VPN tunnel from a DrayTek Vigor Router to NordVPN server.

Account & Initial Setup

1. You will need a NordVPN account. You can apply for a 30-day free trial NordVPN account via https://free.nordvpn.com/

nord1

2. Download the NordVPN root CA certificate from https://downloads.nordcdn.com/certificates/root.der

3. Get the NordVPN server domain from here
You may get a recommended server by selecting the country you located. In the following picture, uk960.nordvpn.com is the hostname of the VPN server.

nord2

Router Setup - Installing the X.509 Certificate

To connect to NordVPN, the router will need to have the certificate from NordVPN loaded onto the router and configured as a trusted certificate. It can then be used for authentication.

4. Log into the router's management page. Go to [Certificate Management ] > ]Trusted CA Certificate] page, and click IMPORT. Click Choose File to select the root.der file we downloaded in step 2. Then, click Import.

 nord3.png

5. Wait for a few seconds until the router responds “Import Success” and the Certificate Status shows OK.

nord44.png

6. Go to [VPN and Remote Access] > [IPsec Peer Identity], edit a profile to for NordVPN server.

  1. Check Enable this account
  2. Select Accept Any Peer ID

 nord5.png

Router Setup - VPN Configuration

7. Go to [VPN and Remote Access] > [LAN to LAN], click on an available index number, and edit the profile as follows. In Common Settings,

  1. Give it a profile name
  2. Check Enable this profile
  3. Set Call Direction to "Dial-Out"
  4. At Dial-Out Through, select the WAN interface for VPN connection

 nord6.png

8. In Dial-Out Settings,

  1. Select IKEv2 EAP for the VPN server type
  2. Enter the domain of VPN server we get in step 3 at Server IP address/Hostname
  3. Enter Username (It is the mail address you used for applying the NordVPN account)
  4. Enter Password (It is the one you configured while activating the NordVPN trial service)
  5. Choose "Digital Signature" for IKE Authentication Method, and select the IPsec Peer Identity Profile created in step 6 for Peer ID
  6. Select "AES with Authentication" for IPsec Security Method
  7. Click Advanced

 nord7.png

9. Click Advanced button, In the IKE advanced settings pop-up windows, confgure:

  1. IKE phase 1 proposal as "AES256_SHA1_G14"
  2. IKE phase 2 proposal as "AES256_SHA1"
  3. IKE phase 1 key lifetime as "3600"
  4. IKE phase 2 key lifetime as "1200"

 nord88.png

10. Click OK to close the window. At TCP/IP Network Settings:

  1. Enter Remote Network IP as "0.0.0.0"
  2. Select Remote Network Mask to "0.0.0.0/00"
  3. Change Routing to NAT for this VPN connection
  4. (optional) Enable Change Default Route to this VPN tunnel option if you want all traffic to go through NordVPN.

 nord9.png

Checking VPN Status & Troubleshooting

11. After completing the above settings, we can check the VPN status via [VPN and Remote Access] > [Connection Management] page.

 nord10.png

12. (optional) We can create Policy Route via [Routing] > [Load-Balance/Route Policy] to send specific traffic to the NordVPN tunnel.

This would be useful in situations whereby you want to specify an outbound interface for specific traffic. For example you want to use NordVPN as gateway for traffic which destined for an IP address or certain domain name. You could also use policy route to force certain LAN client’s traffic to go NordVPN, ensuring that only those LAN clients use the VPN when they are accessingthe internet.

For information on how to setup policy route can be found here

To verify the policy, we can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.

nord11.png

NOTE:

In order to accept large packets from NordVPN, Allow pass inbound fragmented large packets (required for certain games and streaming) should be enabled in [Firewall] > [General Setup].

nord12.png

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

First Published: 06/04/2020
Last Updated: 16/11/2021