The below configuration replicates the behaviour of a IKEv2/IPsec client VPN but on a Cisco IOS router to tunnel traffic via NordVPN.
This guide assumes you have a working knowledge of cisco routers and will be capable of making the necessary adjustments to support DNS resolution and to secure the VPN once deployed.
The router will use a username/password for local IPsec authentication and certificate for remote peer authentication.
1. Login to your NordVPN account, navigate to “NordVPN” and then “Set up NordVPN manually”.
2. Take a note of your chosen peer and then browse to “Service credentials” and note down your own unique username/password.
Make sure IKEv2/IPsec is listed under the available protocols.
3. Go to Help Centre and search “Connect to NordVPN (IKEv2/IPSec) on Windows”
A guide should come up with a link to download Nord’s rootCA certificate. Grab a copy of this.
4. Download OpenSSL:
Windows:
https://sourceforge.net/projects/openssl-for-windows
Linux:
https://openssl-library.org/source
5. Move the certificate to the OpenSSL root folder beside openssl.exe
Open CMD/terminal, change directory to the local folder and convert the certificate from .der to .pem:
openssl x509 -inform der -in root.der -out root.pem
You should now see a root.pem certificate in the folder.
6. Create an associated trustpoint on the Cisco router.
Login to your router and enter the following:
crypto pki trustpoint TP_NORD_VPN
enrollment terminal
subject-name CN=NordVPN Root CA
revocation-check none
exit
7. Open root.pem with notepad and copy contents to your clipboard. Execute the following to paste the certificate contents to the router and authenticate it.
crypto pki authenticate TP_NORD_VPN
—–BEGIN CERTIFICATE—–
XXXXXXXXXXX
—–END CERTIFICATE—–
quit
Verify certificate can be seen with ‘show crypto pki trustpoints’.
R1#show crypto pki trustpoints
Trustpoint TP_NORD_VPN:
Subject Name:
cn=NordVPN Root CA
o=NordVPN
c=PA
Serial Number (hex): 01
Certificate configured.
8. Configure VPN
(The below is an IOS-XE config, minor adjustment may be required for IOS12/IOS 15).
- This approach will use a combination of an IPsec VTI (Virtual Tunnel Interface), NAT and policy-based routing.
- You may need to adjust your router ACLs or ZBFW to permit the VPN tunnel, this will depend on your individual setup.
- I have used ‘dialer1’ as my tunnel source interface, you will need to adjust this command accordingly to map to your own router outside interface.
- Be sure to add your desired peer and your unique username/password obtained in step 2.
! Configure name-servers and enable domain lookup
ip name-server 1.1.1.1 8.8.8.8
ip domain lookup
! Phase 1 proposal
crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
! Phase 1 policy
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL
! Phase 1 keyring
crypto ikev2 keyring IKEv2_KEYRING
peer XXXXXXX.nordvpn.com
! Phase 1 profile
crypto ikev2 profile IKEv2_PROF_NORD_VPN
match identity remote fqdn XXXXXXX.nordvpn.com
authentication remote rsa-sig
authentication local eap mschapv2 username ZZZZZZZZZ password YYYYYYYYY
pki trustpoint TP_NORD_VPN
! Phase 2 transform-set
crypto ipsec transform-set ESP_AES256_SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
! Phase 2 profile
crypto ipsec profile IPSEC_PROF_NORD_VPN
set transform-set ESP_AES256_SHA256
set security-association lifetime seconds 86400
set security-association lifetime kilobytes disable
set ikev2-profile IKEv2_PROF_NORD_VPN
set pfs group14
! Configure tunnel interface.
interface Tunnel1
description ### NORD VPN ###
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination XXXXXXX.nordvpn.com
tunnel protection ipsec profile IPSEC_PROF_NORD_VPN
9. Verify tunnel has come up and IP has been assigned to VTI.
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 x.x.x.x/4500 x.x.x.x/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: EAP, Auth verify: RSA
Life/Active Time: 86400/1120 sec
CE id: 1004, Session-id: 4
Local spi: ZZZZZZ Remote spi: YYYYYY
R1#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr Z.Z.Z.Z
protected vrf: (none)
local ident (addr/mask/prot/port): (10.X.X.X/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 4500
PERMIT, flags={}
#pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
#pkts decaps: 161, #pkts decrypt: 161, #pkts verify: 161
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Tunnel1 10.x.x.x YES NVRAM up up
10. Adjust NAT to re-route desired client devices out the VPN tunnel but allow everything else to break out locally.
In this scenario dialer1 is my outside interface and tunnel1 is the VTI.
! Dialer 1 NAT ACL and route-map.
! I’ve chosen hosts 192.168.1.200 and 192.168.1.201 to be re-routed via the VPN. The ‘deny’ statements will prevent connections leaking via the dialer interface.
ip access-list extended NAT
10 deny ip host 192.168.1.200 any
20 deny ip host 192.168.1.201 any
30 permit ip 10.0.0.0 0.255.255.255 any
40 permit ip 172.16.0.0 0.15.255.255 any
50 permit ip 192.168.0.0 0.0.255.255 any
route-map RM_NAT_OUT permit 10
match ip address NAT
match interface Dialer1
ip nat inside source route-map RM_NAT_OUT interface Dialer1 overload
! VPN NAT ACL and route-map.
! Outbound connections from my chosen hosts will be translated to sit behind the VTI IP.
ip access-list extended VPN_NAT
10 permit ip 10.0.0.0 0.255.255.255 any
20 permit ip 172.16.0.0 0.15.255.255 any
30 permit ip 192.168.0.0 0.0.255.255 any
route-map RM_NORD_VPN permit 10
match ip address VPN_NAT
match interface Tunnel1
ip nat inside source route-map RM_NORD_VPN interface Tunnel1 overload
! Configure policy based routing and NAT on inside/VPN interfaces.
interface Vlan1
ip nat inside
ip policy route-map PBR_NORD_VPN
interface Tunnel1
ip nat outside
11. Verify outbound NAT translations for hosts via the tunnel interface (10.x.x.x IP).
R1#show ip nat translations | inc 192.168.1.201
tcp 10.x.x.x:5062 192.168.1.201:34733 x.x.x.x:443 x.x.x.x::443
udp 10.x.x.x:5062 192.168.1.201:33778 x.x.x.x::53 x.x.x.x::53
tcp 10.x.x.x:5065 192.168.1.201:34735 x.x.x.x::443 x.x.x.x::443
tcp 10.x.x.x:5064 192.168.1.201:34734 x.x.x.x::443 x.x.x.x::443
It is advisable to use Nord’s DNS servers to avoid geographical issues for the VPN hosts. This can be set manually on each end device or using DHCP reservations on the router. Below are examples for client-identifier and hardware-address.
ip dhcp pool VPN_DEVICE_01
host 192.168.1.200 255.255.255.0
client-identifier 01xx.xxyy.yyzz.zz
default-router 192.168.1.1
dns-server 103.86.99.100 103.86.96.100
ip dhcp pool VPN_DEVICE_02
host 192.168.1.201 255.255.255.0
hardware-address xxxx.yyyy.zzzz
default-router 192.168.1.1
dns-server 103.86.99.100 103.86.96.100
Whilst there is security through obscurity thanks to the PAT, it is best to secure the tunnel interface with an ACL or ZBFW rule. I will leave it to you to engineer the solution that works best for you.
If you are configuring ZBFW be sure to remember the ‘self’ zone and to configure policies to secure this as well as inter-zone traffic. Otherwise your router control-plane will be open to the world.
If you are configuring the above on IOS 15 and would prefer not to use ZBFW, I would recommend looking at CBAC as a stateful firewall solution. This is a significant improvement over stateless or reflexive ACLs.
Final thoughts
- IOS converts the FQDN for the tunnel destination to an IP address and stores it in the config. The below EEM script will run every 60 seconds to ensure the peer updates should there be an IP change. My outside interface ACL references the network object group to permit ESP, UDP/500 and UDP/4500. The script has no impact to the tunnel as the router is for the most part just applying the same config – nothing is changing. I’ve also included a logging discriminator to ensure the buffer isn’t filled up.
event manager applet EEM_VPN_PEER_1
event timer cron name 60-SECONDS cron-entry “* * * * *”
action 1.1 cli command “enable”
action 1.2 cli command “conf t”
action 1.3 cli command “int tu1”
action 1.4 cli command “tunnel destination vpn-peer1.com”
action 1.5 cli command “object-group network FQDN_VPN”
action 1.6 cli command “vpn-peer1.com”
action 1.7 cli command “end”
logging discriminator EEM msg-body drops .*User:unknown user.*$|.*EEM:EEM_VPN_.*$
logging buffered discriminator EEM 10240000
- It is possible to route all traffic via the tunnel interface by simply configuring a static route to the VPN peer via the outside interface and a default route via the tunnel, eg:
ip route x.x.x.x 255.255.255.255 dialer1 name NORD_VPN_PEER
ip route 0.0.0.0 0.0.0.0 tunnel1 name DEFAULT_VIA_VPN
Leave a Reply