How can we help you?

Topics
  1. Live Chat, VPN Setup, Troubleshooting | NordVPN Customer Support
  2. Connectivity
  3. Router

DrayTek Vigor IKEv2 setup with NordVPN

This tutorial was officially written by DrayTek. You can find the original tutorial here.

Important update: This tutorial will likely only work for DrayTek routers that have the following version of the firmware:

v2135 - 4.2.1.2 
v2765 - 4.2.1.1 
v2865 - 4.2.2 
v2927 - 4.2.2

Older versions may fail to authenticate.


This tutorial will show you how to create an IKEv2 EAP VPN tunnel from Vigor Router to a NordVPN server.

First, we'll need to get the hostname of the server that we'll be connecting to.

In order to find the server best suited for you, follow the steps below:

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.


     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.




     

  

  1. Now, let's log into the router's management page.

    Open a browser of your choice, click on the address bar, type in 192.168.1.1 and press enter 
    (If this does not open the log-in prompt, please check your router's manual for the proper IP address).

    You should see a log-in prompt appear. The default Username and Password should both be 'admin' or 'admin'/blank.

    1 (22).png
     

  2. Now, navigate to Certificate Management >> Trusted CA Certificate. When there, click IMPORT.

    Trusted.png
     
  3. We will need to import the NordVPN root CA certificate, which you must first download by following this link: https://downloads.nordcdn.com/certificates/root.der.
     
  4. Afterwards, press on Choose File and select the root file which you downloaded in the previous step. Later, click Import.

    S5X7v4tdlq.png
     
  5. Wait for a few seconds until the router responds Import Success and the Certificate Status shows OK.

    7_confirm ca status.png
     
  6. Then, go to VPN and Remote Access >> IPsec Peer Identity.

    remote.png

    Here, you need to set the profile name to NordVPN.
    • Also, check Enable this account
    • And, select Accept Any Peer ID

      lIrmAXsgxD.png
       
  7. Following that, go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.

    In Common Settings:
     
    • Give it a profile name
    • Check Enable this profile
    • Set Call Direction to "Dial-Out"
    • At Dial-Out Through, select the WAN interface for VPN connection
       
  8. In Dial-Out Settings:
     
    • Select IPsec Tunnel and IKEv2
    • Select IPsec EAP for the VPN server type
    • Enter the hostname of the VPN server you got in step 1 at Server IP address/Hostname
    • Enter your NordVPN service Username
    • Enter your NordVPN service Password

      You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:

 

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Service credentials tab, where you'll find the Username and Password needed to connect manually.

 

    • Choose Digital Signature for IKE Authentication Method and select the IPsec Peer Identity Profile created in step 5 for Peer ID
    • Select AES with Authentication for IPsec Security Method
    • Click Advanced
      • CYqdvrXGEx.png

  2. In the IKE advanced settings pop-up window, configure the following:
     
    • IKE phase 1 proposal as AES256_SHA1_G14
    • IKE phase 2 proposal as AES256_SHA1
    • IKE phase 1 key lifetime as 28800
    • IKE phase 2 key lifetime as 3600

      6DmiSNAdMv.png
       
  3. Click OK to close the window. At TCP/IP Network Settings:
     
    • Enter Remote Network IP as 0.0.0.0
    • Select Remote Network Mask to 0.0.0.0/00
    • Change Routing to NAT for this VPN connection
    • (optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN.

      V4qXyVq6nc.png

  4. After finishing the above settings, you can check the VPN status via VPN and Remote Access >> Connection Management page.

    10_check vpn status.png



Optional

You can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, you can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.


12_verify.png

Was this article helpful?
Thanks!

Related articles