DrayTek Vigor IKEv2 setup with NordVPN

This tutorial was officially written by DrayTek. You can find the original tutorial here.

Important update: This tutorial will likely only work for DrayTek routers that have the following version of the firmware:

v2135 - 4.2.1.2 
v2765 - 4.2.1.1 
v2865 - 4.2.2 
v2927 - 4.2.2

Older versions may fail to authenticate.



This tutorial will show you how to create an IKEv2 EAP VPN tunnel from Vigor Router to a NordVPN server.

First, we'll need to get the hostname of the server that we'll be connecting to.

In order to find the server best suited for you, follow the steps below:

 

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.

    Nord Account Services > NordVPN page with NordVPN selected in the left sidebar
     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.

    Nord Account NordVPN page scrolled to Advanced settings with 'Set up NordVPN manually' button highlighted
     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.

    Nord Account Configuration page with 'Server recommendation' tab selected and highlighted
     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.

    Nord Account Configuration Server recommendation tab with 'Advanced filters' link highlighted

    Nord Account Configuration Server recommendation with 'Server type' and 'Security protocol' filter dropdowns expanded
     
  5. Under the server IP, next to Available protocols, select IKEv2/IPSec.
    Nord Account Configuration showing recommended server de1172.nordvpn.com with IKEv2/IPSec protocol circled and 'Get setup configuration' button
     
  6. In the window that pops up, copy the server hostname and use it in your IKEv2 manual connection setup.
    Nord Account 'Setup configuration' popup with IKEv2/IPSec protocol selected, de1172.nordvpn.com hostname shown, and copy button highlighted

     
  7. When connecting to IKEv2 manually, you're going to need to use the Username and Password from the Service credential tab.
    Nord Account Configuration Service credentials tab highlighted showing service username and masked password
     
  1. Now, let's log into the router's management page.

    Open a browser of your choice, click on the address bar, type in 192.168.1.1 and press enter 
    (If this does not open the log-in prompt, please check your router's manual for the proper IP address).

    You should see a log-in prompt appear. The default Username and Password should both be 'admin' or 'admin'/blank.

    Firefox browser showing DrayTek router authentication prompt at 192.168.1.1 with username 'admin' entered
     

  2. Now, navigate to Certificate Management >> Trusted CA Certificate. When there, click IMPORT.

    DrayTek router sidebar menu with Certificate Management > Trusted CA Certificate item highlighted
     
  3. We will need to import the NordVPN root CA certificate, which you must first download by following this link: https://downloads.nordcdn.com/certificates/root.der.
     
  4. Afterwards, press on Choose File and select the root file which you downloaded in the previous step. Later, click Import.

    DrayTek Trusted CA Certificate import form with Choose File button highlighted and Windows file picker open with root.der selected
     
  5. Wait for a few seconds until the router responds Import Success and the Certificate Status shows OK.

    DrayTek X509 Trusted CA Certificate configuration table showing Trusted CA-1 with NordVPN certificate and status OK
     
  6. Then, go to VPN and Remote Access >> IPsec Peer Identity.

    DrayTek router sidebar menu with arrow pointing to 'VPN and Remote Access' item

    Here, you need to set the profile name to NordVPN.
    • Also, check Enable this account
    • And, select Accept Any Peer ID

      DrayTek VPN and Remote Access IPsec Peer Identity form with 'Enable this account' checkbox and 'Accept Any Peer ID' option highlighted
       
  7. Following that, go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.

    In Common Settings:
     
    • Give it a profile name
    • Check Enable this profile
    • Set Call Direction to "Dial-Out"
    • At Dial-Out Through, select the WAN interface for VPN connection
       
  8. In Dial-Out Settings:
     
    • Select IPsec Tunnel and IKEv2
    • Select IPsec EAP for the VPN server type
    • Enter the hostname of the VPN server you got in step 1 at Server IP address/Hostname
    • Enter your NordVPN service Username
    • Enter your NordVPN service Password

      You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, click NordVPN, and, under Manual setup, click on Service credentials. Here you'll find the Username and Password needed to connect manually.

    Nord Account Configuration Service credentials tab highlighted showing service username and masked password

 

  1.  
    • Choose Digital Signature for IKE Authentication Method and select the IPsec Peer Identity Profile created in step 5 for Peer ID
    • Select AES with Authentication for IPsec Security Method
    • Click Advanced

       DrayTek Dial-Out Settings with IPsec EAP selected, server de241.nordvpn.com entered, and Digital Signature authentication configured, with numbered callouts
       
  2. In the IKE advanced settings pop-up window, configure the following:
     
    • IKE phase 1 proposal as AES256_SHA1_G14
    • IKE phase 2 proposal as AES256_SHA1
    • IKE phase 1 key lifetime as 28800
    • IKE phase 2 key lifetime as 3600

      DrayTek IKE advanced settings showing IKE phase 1 proposal AES256_SHA1_G14, phase 2 AES256_SHA1, and key lifetimes 28800 and 3600 highlighted
       
  3. Click OK to close the window. At TCP/IP Network Settings:
     
    • Enter Remote Network IP as 0.0.0.0
    • Select Remote Network Mask to 0.0.0.0/00
    • Change Routing to NAT for this VPN connection
    • (optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN.

      DrayTek TCP/IP Network Settings with Remote Network IP 0.0.0.0, Remote Network Mask 0.0.0.0/00, and NAT routing selected
       
  4. After finishing the above settings, you can check the VPN status via VPN and Remote Access >> Connection Management page.

    DrayTek VPN and Remote Access Connection Management showing toNordVPN IKEv2 IPsec tunnel connected with uptime
     

Optional

You can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, you can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.


Windows Command Prompt tracert output showing traffic routing through VPN IP 185.230.127.13, with arrows labeling VPN hop and Australia IP

 

Was this article helpful?

Still having issues?

  • Live chat

  • Email form

By clicking “Chat with support”, you agree to our Terms of Service and acknowledge our Privacy Policy. Chat functionality relies on cookies. By starting the chat, you agree to their use. Learn more in our Cookie Policy.