Thank you for your help.
Here is my ipsec config:
[stonie@MikroTik_Router] > /ip ipsec export hide-sensitive
# mar/02/2020 17:07:13 by RouterOS 6.46.4
# software id = JAQM-WPKB
#
# model = CCR1009-8G-1S-1S+
# serial number = 5A18043D07A0
/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=de713.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=xxxxx@xxxxmail.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
Sytem time is one minute off to my PC, should be ok, or not?
Certificate is installed, like in the howto described:
[stonie@MikroTik_Router] > /certificate print where name~"root.der"
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 T root.der_0 NordVPN Root CA 8b5a495db498a6c2c8ca7af6ae4a...