How can we help you?

Topics

DrayTek Vigor IKEv2 setup with NordVPN

This tutorial was officially written by DrayTek. You can find the original tutorial here.

Important update: This tutorial will likely only work for DrayTek routers that have the following version of the firmware:

v2135 - 4.2.1.2 
v2765 - 4.2.1.1 
v2865 - 4.2.2 
v2927 - 4.2.2

Older versions may fail to authenticate.



This tutorial will show you how to create an IKEv2 EAP VPN tunnel from Vigor Router to a NordVPN server.

  1. First, we'll need to get the hostname of the server that we'll be connecting to.

    For this step, you'll need to use our server-finding tool*. Click here to access it: https://nordvpn.com/servers/tools/ 
         *The name is self-explanatory: the tool employs a special algorithm to find the best suiting server for you.

    The hostname is the first piece of text you can see under the country's flag. 
    For the purpose of this tutorial, we will use the de241.nordvpn.com hostname:

    vt0KMwxtyZ.png

    Copy and save the hostname somewhere for now. We will need it later in the tutorial. 
     
  2. Now, let's log into the router's management page.

    Open a browser of your choice, click on the address bar, type in 192.168.1.1 and press enter 
    (If this does not open the log-in prompt, please check your router's manual for the proper IP address).

    You should see a log-in prompt appear. The default Username and Password should both be 'admin' or 'admin'/blank.

    1 (22).png
     

  3. Now, navigate to Certificate Management >> Trusted CA Certificate. When there, click IMPORT.

    Trusted.png
     
  4. We will need to import the NordVPN root CA certificate, which you must first download by following this link: https://downloads.nordcdn.com/certificates/root.der.
     
  5. Afterwards, press on Choose File and select the root file which you downloaded in the previous step. Later, click Import.

    S5X7v4tdlq.png
     
  6. Wait for a few seconds until the router responds Import Success and the Certificate Status shows OK.

    7_confirm ca status.png
     
  7. Then, go to VPN and Remote Access >> IPsec Peer Identity.

    remote.png

    Here, you need to set the profile name to NordVPN.
    • Also, check Enable this account
    • And, select Accept Any Peer ID

      lIrmAXsgxD.png
       
  8. Following that, go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.

    In Common Settings:
     
    • Give it a profile name
    • Check Enable this profile
    • Set Call Direction to "Dial-Out"
    • At Dial-Out Through, select the WAN interface for VPN connection
       
  9. In Dial-Out Settings:
     
    • Select IPsec Tunnel and IKEv2
    • Select IPsec EAP for the VPN server type
    • Enter the hostname of the VPN server you got in step 1 at Server IP address/Hostname
    • Enter your NordVPN service Username
    • Enter your NordVPN service Password

      You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:
      1. Click Set up NordVPN manually.

        1 (23).png
         
      2. You will receive a verification code in your email that you use for NordVPN services. Type the code in: 

        2 (23).png
         
      3. Copy the credentials using the “Copy” buttons on the right:

        3 (21).png
         
    • Choose Digital Signature for IKE Authentication Method and select the IPsec Peer Identity Profile created in step 5 for Peer ID
    • Select AES with Authentication for IPsec Security Method
    • Click Advanced

      • CYqdvrXGEx.png

  10. In the IKE advanced settings pop-up window, configure the following:
     
    • IKE phase 1 proposal as AES256_SHA1_G14
    • IKE phase 2 proposal as AES256_SHA1
    • IKE phase 1 key lifetime as 28800
    • IKE phase 2 key lifetime as 3600

      6DmiSNAdMv.png
       
  11. Click OK to close the window. At TCP/IP Network Settings:
     
    • Enter Remote Network IP as 0.0.0.0
    • Select Remote Network Mask to 0.0.0.0/00
    • Change Routing to NAT for this VPN connection
    • (optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN.

      V4qXyVq6nc.png

  12. After finishing the above settings, you can check the VPN status via VPN and Remote Access >> Connection Management page.

    10_check vpn status.png

Optional

You can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, you can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.


12_verify.png

Was this article helpful?
Thanks!