- admin@MikroTik /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 D;;; ipsec mode-config chain=srcnat action=src-nat to-addresses=192.168.77.254 connection-mark=NordVPN After that, it is possible to apply this connection-mark to any traffic using Mangle firewall.
- Hi there, I followed following howto to connect the mikrotik router to nordvpn: I don’t get any errors when entering all the information but when i Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts.
Applies to RouterOS: v6.45.2 +
Starting from RouterOS v6.45, it is possible to establish IKEv2 secured tunnel to NordVPN servers using EAP authentication. This manual page explains how to configure it.
Hit & set up NordVPN PPTP on your own Mikrotik today! Learn more?. NordVPN PPTP/L2TP. Hi there, I followed following howto to connect the mikrotik router to nordvpn: I don’t get any errors when entering all the information but when i Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts. Below steps uses the 'considered to be perfectly safe' ciphers & their levels, but NordVPN does support higher levels of encryption. Check what hardware acceleration is supported by your Mikrotik router and you might want to use such encryption instead for below steps.
- 4Choosing what to send over the tunnel
Installing the root CA
Start off by downloading and importing the NordVPN root CA certificate.
There should now be the trusted NordVPN Root CA certificate in System/Certificates menu.
Finding out the server's hostname
Navigate to https://nordvpn.com/servers/tools/ and find out the recommended server's hostname. In this case it is lv20.nordvpn.com.
Setting up the IPsec tunnel
It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to not interfere with any existing or future IPsec configuration.
While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.
Create a new mode config entry with responder=no that will request configuration parameters from the server.
Lastly, create peer and identity configurations. Specify your NordVPN credentials in username and password parameters.
Verify that the connection is successfully established.
Nordvpn Mikrotik Tutorial
Choosing what to send over the tunnel
If we look at the generated dynamic policies, we see that only traffic with a specific (received by mode config) source address will be sent through the tunnel. But a router in most cases will need to route a specific device or network through the tunnel. In such case we can use source NAT to change the source address of packets to match the mode config address. Since the mode config address is dynamic, it is impossible to create static source NAT rule. In RouterOS it is possible to generate dynamic source NAT rules for mode config clients.
Option 1: Sending all traffic over the tunnel
In this example, we have a local network 10.5.8.0/24 behind the router and we want all traffic from this network to be sent over the tunnel. First of all, we have to make a new IP/Firewall/Address list which consists of our local network.
It is also possible to specify only single hosts from which all traffic will be sent over the tunnel. Example:
When it is done, we can assign newly created IP/Firewall/Address list to mode config configuration.
Verify correct source NAT rule is dynamically generated when the tunnel is established.
Warning: Make sure dynamic mode config address is not a part of local network.
![Mikrotik Mikrotik](/uploads/1/3/8/1/138131609/981479730.png)
Note: It is also possible to combine both options (1 and 2) to allow access to specific addresses only for specific local addresses/networks
Option 2: Accessing certain addresses over the tunnel
It is also possible to send only specific traffic over the tunnel by using the connection-mark parameter in Mangle firewall. It works similarly as Option 1 - a dynamic NAT rule is generated based on configured connection-mark parameter under mode config.
First of all, set the connection-mark under your mode config configuration.
When it is done, a NAT rule is generated with the dynamic address provided by the server:
After that, it is possible to apply this connection-mark to any traffic using Mangle firewall. In this example, access to mikrotik.com and 8.8.8.8 is granted over the tunnel.
Create a new address list:
Apply connection-mark to traffic matching the created address list:
Ikev2 Nordvpn
Note: It is also possible to combine both options (1 and 2) to allow access to specific addresses only for specific local addresses/networks
[Top | Back to Content]
Retrieved from 'https://wiki.mikrotik.com/index.php?title=IKEv2_EAP_between_NordVPN_and_RouterOS&oldid=33479'