IKEv2 EAP VPN - DrayTek Vigor Router to NordVPN server
NordVPN server is a cloud VPN server which supports VPN protocols, such as PPTP, L2TP over IPsec, OpenVPN and IKEv2. DrayTek's PPTP and L2TP/IPsec VPN has been listed in NordVPN's compatible list. Since firmware version 3.9.0, Vigor Router supports dialing out IKEv2 EAP VPN tunnel to NordVPN server. We will introduce how to create IKEv2 EAP VPN tunnel from Vigor Router to NordVPN server in this document.
1. Create and activate NordVPN account via https://nordvpn.com
2. Download the NordVPN root CA certificate from https://downloads.nordvpn.com/certificates/root.der
3. Select the preferred NordVPN server from:
- You may select the country you located and NordVPN will recommend you a server. (Be sure your recommended server is supporting IKEv2 EAP!)
- In the following picture, "de241.nordvpn.com" is the recommended NordVPN server.
1. Go to Certificate Management >> Trusted CA Certificate page and click "IMPORT".
2. Click "Choose File" to select the root.der file we downloaded from https://downloads.nordvpn.com/certificates/root.der in step 3. Then click Import.
3. Wait for few seconds. Vigor Router will respond “Import Success” and we can see the Certificate Status is OK.
4. Go to VPN and Remote Access >> IPsec Peer Identity page, edit a profile to add an "identity profile" for NordVPN server. Click Enable this account and select "Accept Any Peer ID".
5. Go to VPN and Remote Access >> LAN to LAN, click on an available "index" number and edit the profile as follows:
a. In Common Settings:
- Give it a profile name and Enable this profile
- Set Call Direction to Dial-Out
- Select WAN interface that the VPN will Dial-Out Through
b. In Dial-Out Setting:
1) Select IPsec EAP as the "VPN server type"
2) Enter the VPN server IP address/ Hostname (It is the server we selected in step 4.)
3) Enter the Username and Password. (Username is the mail address you used for applying the NordVPN account; Password is the one you configured during the activating of your NordVPN account.)
4) Choose Digital Signature and select the "IPsec Peer Identity Profile" we created for NordVPN server in step 8 for Peer ID.
5) Select AES with Authentication as "IPsec Security""
6) Click Advanced button for configuring advanced IKE/ IPsec Settings
Instead of your eMail address and your account password you can also use the service credentials from your account.
However, this requires that your DrayTek model allows the input of VPN passwords with more than 15 characters.
In IKE advanced settings page, please configure:
- IKE phase 1 proposal: AES256
- IKE phase 1 proposal Group: G14
- IKE phase 1 proposal Authentication: SHA1
- IKE phase 2 proposal: AES256_SHA1
- IKE phase 1 key lifetime: 3600
- IKE phase 2 key lifetime: 1200
c. In TCP/IP Network Settings:
- Enter Remote Network IP /Mask as 0.0.0.0/00
- Select NAT for this VPN connection
- Enable Change Default Route to this VPN tunnel option if you want all traffics to go with NordVPN server.
6. After finishing above settings, we can check the VPN status via VPN and Remote Access >> Connection Management page.
7. We can create Policy Route via Routing >> Load-Balance/Route Policy to define some specific traffic to go via the NordVPN tunnel.