Hello
Nordvpn and mikrotik ?
go or not go ?
I find on nordvpn site
https://support.nordvpn.com/Connectivity/Router/1225872552/Not-supported-routers.htm
what you say ?
Well, IKEv2/IPSEC should do the trick. I do not have a NordVpn account, so can not verify.
No go, as stated on that page.
Then what’s the issue with NordVPN and IKEv2/IPSEC?
Just checking that page says that they dropped support for ipsec/l2tp and going through the supported routers configuration samples they have, it’s all open vpn now.
Sent from my SM-A520W using Tapatalk
IKEv2/IPSEC is supported by NordVPN:
https://nordvpn.com/de/tutorials/windows-10/ikev2/
This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What’s the issue? Just ignore what they say is not supported, probably they did not check for IKEv2/IPSEC in RouterOS.
Hmmmm, interesting. I thought IKEv2 client could not do this. Going test this on a later moment.
and how to install Certificate in mikrotik ?
I just checked and it is not going to happen till ROS 7.
http://forum.mikrotik.com/t/help-with-ikev2-ipsec-client-configuration/112751/8
Thanks for the link, msatter! In short: currently EAP authentication as initiator is not possible for IKEv2. So the website is right, no-go with Mikrotik.
@Mikrotik: Can you please add EAP authentication as initiator for RouterOS v6 to fix this issue?
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.
+1 same here! We need EAP for IKEv2…
So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS#Option_1:_Sending_all_traffic_over_the_tunnel. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall → Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
Probably can be updated with a script if assigned IP has changed.
ementat… Is that new info based on the latest firmware release? I remember seeing something about VPN improvements!
Can one extrapolate that any VPN provider that uses a similar setup can also be used with RouterOS now?
anav
MAJOR CHANGES IN v6.45.1:
----------------------
[b]!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;[/b]
IPsec mode-config relieves you from the need to track the changes of the address you get from the responder by means of a dynamically generated (and dynamically updated) src-nat rule - you specify a name of an address-list which will be used in this rule as src-address-list. So traffic whose source IP matches that address list gets src-nated to the IP currently assigned to you by the responder, and thus caught by the IPsec policy.
As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.
Of course, an ability to specify a dst-address-list as another parameter of the mode-config item, so that the dynamically generated src-nat rule would only match on packets towards destinations matching that list, would be even nicer, but that’s a feature request 
As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.
Any examples of such a script? Also I believe I need to remove dynamic NAT rule, correct?
You need to prevent the dynamic NAT rule from being created, which simply means not to set the address-list item in the request-only (responder=no) row in /ip ipsec mode-config you refer to from the /ip ipsec identity row you use for NordVPN.
As for the script, it would be something like
if ([:len [/system script environment find name=lastIP]] = 0) do={global lastIP 8.8.8.8};
local currentIP [/ip address get [find dynamic !(address in your.wan.subnet.ip/mask) interface~"if-name"] address];
if ($lastIP != $currentIP) do={
ip firewall nat set [find chain=srcnat action=src-nat dst-address-list~"nordvpn-targets"] to-addresses=$currentIP;
system script environment set lastIP value=$currentIP;
}
The rule to fetch the current IP assigned by IKEv2 has to be carefully adapted to your environment - it gets attached to some existing interface and I don’t know the criteria used to choose that interface, so the match conditions of the find include the interface name and an exclusion of a subnet from which you eventually get your normal WAN address from the ISP’s DHCP so that only the dynamically assigned IP you really need would match.
You need to run the script periodically using a scheduler. Every 5 seconds might be enough. Maybe Mikrotik will add a script item to the identity or mode-config one day in future so that the script would be spawned at every change, much like dhcp-client, dhcp-server and ppp profile work today.
when connected, the src-address in ipsec policy is the current ip address asinged by ikev2, is there a way to use this ip in script?