How can we help you?

MikroTik IKEv2 setup with NordVPN

These instructions are based on a tutorial written by MikroTik. You can find the original article here.

MikroTik routers with RouterOS version 6.45 and later allow to establish an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can create an IKEv2 EAP VPN tunnel from a MikroTik router to a NordVPN server.


  1. Open the terminal in your RouterOS settings.
  2. Install the NordVPN root CA certificate by running the following commands:

    /tool fetch url=""

    /certificate import file-name=root.der

  3. Go to to find out the hostname of the server recommended for you. In our case, it is

  4. Now you have to set up the IPsec tunnel. It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to avoid interfering with any existing or future IPsec configuration:

    /ip ipsec profile
    add name=NordVPN

    /ip ipsec proposal
    add name=NordVPN pfs-group=none

    While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.

    /ip ipsec policy group add name=NordVPN
    /ip ipsec policy add dst-address= group=NordVPN proposal=NordVPN src-address= template=yes
  5. Create a new mode config entry with responder=no that will request configuration parameters from the server:

    /ip ipsec mode-config
    add name=NordVPN responder=no

  6. Create peer and identity configurations. Specify your NordVPN credentials in the username and password parameters:

    /ip ipsec peer
    add exchange-mode=ike2 name=NordVPN profile=NordVPN

    /ip ipsec identity
    add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNServiceUsername password=YourNordVPNServicePassword

    You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using “Copy” the buttons on the right.

  7. Now choose what to send over the VPN tunnel. In this example, we have a local network behind the router and we want all traffic from this network to be sent over the tunnel. First of all, we have to make a new IP/Firewall/Address list which consists of our local network.

    /ip firewall address-list
    add address= list=local

    Assign the newly created IP/Firewall/Address list to the mode-config configuration:

    /ip ipsec mode-config
    set [ find name=NordVPN ] src-address-list=local

  8. Verify that the correct source NAT rule is dynamically generated when the tunnel is established.

    /ip firewall nat print

Related Articles

© Copyright 2022 all rights reservedSelf-service by