So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EA ... the_tunnel
. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall -> Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
relieves you from the need to track the changes of the address you get from the responder by means of a dynamically generated (and dynamically updated) src-nat rule - you specify a name of an address-list
which will be used in this rule as src-address-list
. So traffic whose source IP matches that address list gets src-nated to the IP currently assigned to you by the responder, and thus caught by the IPsec policy.
As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses
item in a manually created action=src-nat
rule as @mrz suggests, another way is described here
but in my opinion the script way is much simpler.
Of course, an ability to specify a dst-address-list
as another parameter of the mode-config
item, so that the dynamically generated src-nat rule would only match on packets towards destinations matching that list, would be even nicer, but that's a feature request
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.