Setting up manual IKEv2 connection on Windows 8/10

The IKEv2/IPsec connection is one of the alternative methods to connect to NordLayer private gateway(s) on your Windows PC. This is the preferred connection method among privacy enthusiasts, as the IKEv2/IPsec security protocol is currently one of the most advanced on the market. That said, this manual setup lacks the additional features of the native NordLayer app and is a bit more complicated to set up.

Disclaimer: This connection method will require you to add the certificate to Trusted Root Authorities, which will apply to all certificates. This might potentially put your system at risk of a MITM attack if someone gets the private key of that certificate. While our private keys are completely secure and the chances of anything bad happening are very small, we recommend this connection method only if you cannot connect using our native app or any other alternative way.

To use this connection method, the only file you need to download and install is the NordLayer digital certificate. The connection application itself is already in-built on Windows.

1. Download the certificate: https://downloads.nordlayer.com/certificates/root.der

Note: Your browser may try to save the file in its own certificate location or open it immediately. Make sure to download the file instead of just opening it. On Firefox, right-click the link above and select "Save Link As...". On Internet Explorer, select "Save" instead of "Open". Chrome will download the file correctly.

Double-click the root.der file you have just downloaded.

2. Click Open

3. Click Install Certificate…

4. Select Local Machine and click Next

5. Select Place all certificates in the following store and click Browse...

6. Select Trusted Root Certification Authorities

Click OK and then Next.

7. Click Finish

8. Click OK on both windows

9. Open the Run box by pressing the Windows + R key combination on your keyboard

Type certmgr.msc in the Run box to open the certificates management tool.

10. Navigate to Trusted Root Certification Authorities > Certificates and find CyberHop Root CA

11. Right-click on CyberHop Root CA and select Properties

12. Check the Enable only for the following purposes option and uncheck all the boxes except the Server Authentication box

13. Click OK and Apply

Set up a VPN connection:

1. Open the Windows Start Menu and type control panel in the search bar. In the search results, click on Control Panel

2. Open Network and Internet

3. Click on Network and Sharing Center

4. Click Set up a new connection or network

5. Click Connect to a workplace and hit Next

6. If asked "Do you want to use a connection that you already have?", select No, create a new connection and click Next

7. Click Use my Internet connection (VPN)

8. In the Internet address field, type the hostname or IP of your private gateway, which can be found on our Downloads page

At the same time, you should copy the service credentials (username and password) at the bottom of the page.

9. For the Destination name, enter any name you would like your connection to have

10. Open Network and sharing center again and click Change adapter settings

11. Right-click the adapter with the name you’ve just created, click Properties, and go to the Security tab

12. Configure as follows:

• Type of VPN: IKEv2
• Data encryption: Require encryption (disconnect if server declines)
• Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2

13. Open the Networking tab and uncheck the Internet Protocol Version 6 (TCP/IPv6) box

14. Click OK

15. In the system tray located in the bottom-right corner of the screen, click on either the Wi-Fi or Ethernet connection icon and click Open Network & Internet settings

16. In the left sidebar of the settings, select VPN, find your created IKEv2 connection, and click on Advanced options

17. Click Edit and enter your NordLayer service username and password that you have copied earlier

18. Click on the network icon again in the system tray in the bottom-right corner of the screen and click Connect under NordVPN IKEv2

19. You should now be connected

Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.