Hello
Nordvpn and mikrotik ?
go or not go ?
I find on nordvpn site
https://support.nordvpn.com/Connectivit ... outers.htm
what you say ?
Re: NordVpn and mikrotik?
Well, IKEv2/IPSEC should do the trick. I do not have a NordVpn account, so can not verify.
Re: NordVpn and mikrotik?
No go, as stated on that page.
Re: NordVpn and mikrotik?
Then what's the issue with NordVPN and IKEv2/IPSEC?
Re: NordVpn and mikrotik?
Just checking that page says that they dropped support for ipsec/l2tp and going through the supported routers configuration samples they have, it's all open vpn now.
Sent from my SM-A520W using Tapatalk
Sent from my SM-A520W using Tapatalk
Re: NordVpn and mikrotik?
IKEv2/IPSEC is supported by NordVPN:
https://nordvpn.com/de/tutorials/windows-10/ikev2/
This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What's the issue? Just ignore what they say is not supported, probably they did not check for IKEv2/IPSEC in RouterOS.
https://nordvpn.com/de/tutorials/windows-10/ikev2/
This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What's the issue? Just ignore what they say is not supported, probably they did not check for IKEv2/IPSEC in RouterOS.
Re: NordVpn and mikrotik?
Hmmmm, interesting. I thought IKEv2 client could not do this. Going test this on a later moment.
Re: NordVpn and mikrotik?
and how to install Certificate in mikrotik ?
Re: NordVpn and mikrotik?
Thanks for the link, msatter! In short: currently EAP authentication as initiator is not possible for IKEv2. So the website is right, no-go with Mikrotik.
Re: NordVpn and mikrotik?
@Mikrotik: Can you please add EAP authentication as initiator for RouterOS v6 to fix this issue?
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.
Re: NordVpn and mikrotik?
+1 same here! We need EAP for IKEv2...
Re: NordVpn and mikrotik?
So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EA ... the_tunnel. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall -> Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
Re: NordVpn and mikrotik?
Probably can be updated with a script if assigned IP has changed.
Re: NordVpn and mikrotik?
ementat.......... Is that new info based on the latest firmware release? I remember seeing something about VPN improvements!
Can one extrapolate that any VPN provider that uses a similar setup can also be used with RouterOS now?
Can one extrapolate that any VPN provider that uses a similar setup can also be used with RouterOS now?
Re: NordVpn and mikrotik?
anav
Code: Select all
MAJOR CHANGES IN v6.45.1:
----------------------
[b]!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;[/b]
Re: NordVpn and mikrotik?
IPsec mode-config relieves you from the need to track the changes of the address you get from the responder by means of a dynamically generated (and dynamically updated) src-nat rule - you specify a name of an address-list which will be used in this rule as src-address-list. So traffic whose source IP matches that address list gets src-nated to the IP currently assigned to you by the responder, and thus caught by the IPsec policy.So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EA ... the_tunnel. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall -> Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.
Of course, an ability to specify a dst-address-list as another parameter of the mode-config item, so that the dynamically generated src-nat rule would only match on packets towards destinations matching that list, would be even nicer, but that's a feature request
Re: NordVpn and mikrotik?
Any examples of such a script? Also I believe I need to remove dynamic NAT rule, correct?As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.
Re: NordVpn and mikrotik?
You need to prevent the dynamic NAT rule from being created, which simply means not to set the address-list item in the request-only (responder=no) row in /ip ipsec mode-config you refer to from the /ip ipsec identity row you use for NordVPN.Any examples of such a script? Also I believe I need to remove dynamic NAT rule, correct?
As for the script, it would be something like
Code: Select all
if ([:len [/system script environment find name=lastIP]] = 0) do={global lastIP 8.8.8.8};
local currentIP [/ip address get [find dynamic !(address in your.wan.subnet.ip/mask) interface~"if-name"] address];
if ($lastIP != $currentIP) do={
ip firewall nat set [find chain=srcnat action=src-nat dst-address-list~"nordvpn-targets"] to-addresses=$currentIP;
system script environment set lastIP value=$currentIP;
}You need to run the script periodically using a scheduler. Every 5 seconds might be enough. Maybe Mikrotik will add a script item to the identity or mode-config one day in future so that the script would be spawned at every change, much like dhcp-client, dhcp-server and ppp profile work today.
Re: NordVpn and mikrotik?
when connected, the src-address in ipsec policy is the current ip address asinged by ikev2, is there a way to use this ip in script?
Re: NordVpn and mikrotik?
Of course there is, but you may end up with the same issue I've mentioned above. You may have more than one IPsec policy in place (or even more than one dynamic address assigned by an IKEv2 peer using mode-config), so the match criteria used to select the proper address have to be tailored to your environment in any case, regardless whether you fetch it from the dynamically assigned IP addresses or from the dynamically created IPsec policies (or both).when connected, the src-address in ipsec policy is the current ip address asinged by ikev2, is there a way to use this ip in script?
Re: NordVpn and mikrotik?
I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.
Re: NordVpn and mikrotik?
Thanks sindy! Your script worked.
I tried find address from ipsec policy by peer get the ip too.
So I can routing package by set the routing-mark of the source nat,
I tried find address from ipsec policy by peer get the ip too.
Code: Select all
local currentIP [/ip ipsec policy get [find peer~"pure"] src-address];Who is online
Users browsing this forum: No registered users and 67 guests