MikroTik IKEv2 setup with NordVPN

MikroTik routers support many VPN services, including NordVPN. In particular, MikroTik routers with RouterOS version 6.45 and later let you establish an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can connect to a VPN on your MickoTik router.

  1. Open the terminal in your RouterOS settings.
  2. Install the NordVPN root certificate by running the following commands:

    /tool fetch url="https://downloads.nordcdn.com/certificates/root.der"

    /certificate import file-name=root.der
     
  3. Connect to the NordVPN server to find out the hostname of the recommended server. For our example, we used "nl125.nordvpn.com."

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.

    Nord Account Services > NordVPN page with NordVPN selected in the left sidebar
     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.

    Nord Account NordVPN page scrolled to Advanced settings with 'Set up NordVPN manually' button highlighted
     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.

    Nord Account Configuration page with 'Server recommendation' tab selected and highlighted
     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.

    Nord Account Configuration Server recommendation tab with 'Advanced filters' link highlighted

    Nord Account Configuration Server recommendation with 'Server type' and 'Security protocol' filter dropdowns expanded
     
  5. Under the server IP, next to Available protocols, select IKEv2/IPSec.
    Nord Account Configuration showing recommended server de1172.nordvpn.com with IKEv2/IPSec protocol circled and 'Get setup configuration' button
     
  6. In the window that pops up, copy the server hostname and use it in your IKEv2 manual connection setup.
    Nord Account 'Setup configuration' popup with IKEv2/IPSec protocol selected, de1172.nordvpn.com hostname shown, and copy button highlighted
     
  7. When connecting to IKEv2 manually, you're going to need to use the Username and Password from the Service credential tab.
    Nord Account Configuration Service credentials tab highlighted showing service username and masked password
     
  8. Now you have to set up the IPsec tunnel. We recommend creating a separate profile and proposal configuration to avoid interfering with existing or future IPsec configuration:

    /ip ipsec profile
    add name=NordVPN

    /ip ipsec proposal
    add name=NordVPN pfs-group=none

    While it is possible to use the default policy template, it is better to create a new policy group and template to separate this configuration from other IPsec configurations.

    /ip ipsec policy group add name=NordVPN
    /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

     
  9. Create a new “mode config” entry with “responder=no” (no quotation marks) that will request configuration parameters from the server:

    /ip ipsec mode-config
    add name=NordVPN responder=no

     
  10. Create peer and identity configurations. Enter your NordVPN credentials in the username and password parameters:

    /ip ipsec peer
    add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN

    /ip ipsec identity
    add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNServiceUsername password=YourNordVPNServicePassword
  11. You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard.

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, click NordVPN, and, under Manual setup, click on Service credentials. Here you'll find the Username and Password needed to connect manually.

    Nord Account Configuration Service credentials tab highlighted showing service username and masked password
     
  2. Now choose what to send over the VPN tunnel. In this example, we have the local network “192.168.88.0/24” behind the router, and we want all traffic from this network to be sent through the tunnel. First, we have to make a new “IP/Firewall/Address” list that consists of our local network.

    /ip firewall address-list
    add address=192.168.88.0/24 list=local

    Assign the newly created "IP/Firewall/Address" list to the "mode-config" configuration:

    /ip ipsec mode-config
    set [ find name=NordVPN ] src-address-list=local

     
  3. Verify that the correct source NAT rule is dynamically generated when the tunnel is established.

    /ip firewall nat print
Was this article helpful?

Still having issues?

  • Live chat

  • Email form

By clicking “Chat with support”, you agree to our Terms of Service and acknowledge our Privacy Policy. Chat functionality relies on cookies. By starting the chat, you agree to their use. Learn more in our Cookie Policy.