Vigor routers can establish a VPN tunnel to NordVPN with IKEv2 EAP protocol. Refer to this article for more information.
https://www.draytek.com/support/knowledge-base/5371

Below are some tips to troubleshoot connection issues.

1. Fragmented Packets

In some cases, the VPN canott be connected to NordVPN when “Allow pass inbound fragmented …” is disabled.
According to the captured packets, NordVPN sends large packets with the size of 2760, which need to be fragmented.
When “Allow pass inbound fragmented large packets (required for certain games and streaming)” is unchecked on Firewall General Setup, the fragmented packets must be reassembled before it’s processed. The largest size that can be handled by a Vigor router is 2282. Any larger packets (from NordVPN) will be dropped. Resulting in failure to establist the VPN tunnel.

When you encounter the same issue check the syslogs for the following entry:

“2019-09-02 09:00:23”, “## IKEv2 DBG : Out CP : request new virtual ip ”
“2019-09-02 09:00:35”, “[IPSEC][L2L][1:NordVPN][@149.27.102.82] IKE link timeout: state linking”
“2019-09-02 09:00:35”, “## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #138688”
Check if “Allow pass inbound fragmented large packets (required for certain games and streaming)” is enabled on [Firewall] > [General Setup] page.

 

2. Password Length

A NordVPN password longer than 15 characters will cause the VPN connection to fail.

  • Keep VPN password length less than 15 characters
  • Limit use of special characters in the password as these can cause issues.

Checking the syslogs you may see the following:

2020-05-19 10:39:40         ## IKEv2 DBG : EAP continue : Can’t parse EAP msg desc

 2020-05-19 10:39:40        Prase error : not enough room in input packet for IKEv2 EAP Message Payload

 2020-05-19 10:39:40        ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 103.137.12.139, Peer is IKEv2 Responder

 2020-05-19 10:39:38        ## IKEv2 DBG : EAP continue : eap_msg.code = IKEv2_EAP_REQUEST[1] eap_msg.type = IKEv2_EAP_MSCHAPV2[26]

 2020-05-19 10:39:38        ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 103.137.12.139, Peer is IKEv2 Responder

 

3. WAN MTU Size

The default WAN MTU size of 1500 may be too large for some PPPoE connections.

It is recommended to reduce the MTU size to 1492 or smaller.

To check the maximum MTU size that can be used to establish a NordVPN connection, go to WAN >> Internet Access menu and click on “Path MTU Discovery” button.

  • Enter IP address of the Nord VPN server you are going to connect to
  • Click on “Detect” and the router will report a suitable MTU size to use

Syslogs may show a timeout message similar to the example below when MTU size is too large:

 

2020-05-12 08:34:31″, “## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #9”

“2020-05-12 08:34:31”, “[IPSEC][L2L][1:toNordVPN][@81.92.203.220] IKE link timeout: state linking”

“2020-05-12 08:34:18”, “## IKEv2 DBG : Out CP : request new virtual ip  “

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : #9 IKE SA Established, REPLACE after 2672 seconds”

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : Create Child SA #10, IKE SA is #9”

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : L2L toNordVPN IKEv2 EAP : use NAT mode”

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify (null)[16404], ignore it”

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]”

“2020-05-12 08:34:18”, “## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]”

4. Date and Time update

For the Certificate to be valid please make sure that the Router’s system date is ok

 

5.  Redirect all traffic through the VPN when it is established

Some users wanting all traffic to go through the established VPN tunnel needs to direct

The traffic to that VPN . See fig below

 

———————————————————————————————————————————————.

If the problem still persists, capture the syslogs logs and forward to support@draytek.com.au for analysis.