Skip to main content
HuronIT
HuronIT
New Member
February 9, 2026
Question

Mobile router VPN connection setup

  • February 9, 2026
  • 2 replies
  • 401 views

I'm trying to get our new mobile routers setup with our FortiGate 80F (7.4.11) but I'm having troubles figuring out if the connection setup needs to be site-to-site or dialup. The mobile routers are from Nextivity running OpenWRT and there is a custom page in the web Gui for setting up a VPN that looks like this:

 

Screenshot_VPN_Mobile.jpeg

The Nextivity documentation only says that you need to choose IKE version and any of the three authentication methods. I pulled a backup of the router config and found the swanctl.conf file which is what the VPN client is using to attempt to connect to the FortiGate and it looks like this: 

 

connections { myvpn { version = 2 remote_addrs = vips = 0.0.0.0 rekey_time = 0s dpd_delay = 30s dpd_timeout = 120s proposals = aes256-sha256-ecp384,aes256-sha384-modp2048,aes128-sha256-ecp256  local { auth = eap-mschapv2 id = eap_id = }  remote { auth = pubkey id = }  children { myvpn-child { local_ts = 0.0.0.0/0 remote_ts = 0.0.0.0/0 mode = tunnel start_action = start close_action = start dpd_action = restart hostaccess = yes if_id_in = 301 if_id_out = 301 set_mark_out = 0x2a esp_proposals = aes256-sha256-modp2048 inactivity = 300s } } } }  secrets { eap-publickey { id = secret = } eap-client { id = secret = } }

Any changes made in the GUI reset everything in this file unless changes and the connection are handled through CLI via SSH. Though the documentation doesn't state that SSH is necessary to set or start the VPN. I've tried several custom and site-to-site configurations, and nothing seems to get it to connect. I've tried a couple of the StrongSwan troubleshooting guides, but I can't set static on either side due to the mobility networking. Sorry for the long post, I'm sure I will need to give additional information with any questions or comments. Thanks.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 9, 2026

It's unclear what kine of VPN you want to set up between what to what. Do you want to set up site-to-site VPN between the Nextivity device and your 80F? Or between the 80F through the wireless(5G/4G) and another location?
If the former, you should ask Nextivity support how to configure the device on its side. If the latter, the Nextivity device should just provide wireless internet to the 80F so you shouldn't be configuring any VPN on the device, but like IP passthrough or NAT with port forwardings to the 80F behind it.

Toshi

HuronIT
HuronITAuthor
New Member
February 9, 2026

The FortiGate sits in our office, and we need to setup either site-to-site between the FortiGate and the Nextivity router or get the router to connect to the FortiGate as a dialup user. The Nextivity routers will be placed in our patrol vehicles so our computers in the vehicle can connect to the host server for application access. 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 9, 2026

Then VPN between the Nextivity and the 80F. Regardless it's "static" or "dialup/dynamic" it would bee a site-to-site IPSec VPN. 
Likely you can't use IPsec wizard on the FGT side configuration but custom IPsec to match Nextivity side, which doesn't seem to be so flexible.

First, It's up to your 5G/4G service from the carrier. But if it's not "Static IP" service, it would be behind NAT in the cloud or even CGNAT. So FGT side needs to be configured as "dynamic". 
And, at lease it's showing what kind of proposals are acceptable for phase1 and phase2 seems to be aes256-sha256 only. For DH group, you need to translate like ecp384=DHG 20, modp2048=DHG 14, which is showing in the config. You can search these translations on the internet (I always use Google).
The phase2 network selector is 0/0<->0/0 since you don't seem to be able to configure on Nextivity side, which is luckily FGT's default config so you don't have to worry about.

It might not be so easy to match them up, then likely you need to repeat trial&errors to bring up the IPsec.  You need to keep watching at IKE debug output below to see what parameter the FGT doesn't like seeing:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-Tunnel-debugging-IKE/ta-p/190052

Toshi

sw2090
SuperUser
sw2090
SuperUser
February 10, 2026

If you don't have a static wan ip address on the mobile site I recommend setting it up as dial up because dial up does not require a remote gw on your Fortigate.  Otherwise you would have to do dome DynDNS Stuff to not have to enter the ip manually. Still both sides by default try to establish the VPN which causes "dead" SAs and takes time until it will come up.

And if you set the Fortigate to be silent (i.e. not to establish the tunnel) it will run into a issue (which TAC one confirmed me to be a bug) causing the Fortigate to not refresh the ddns correctly.

We have such constellations here (mobile internet on one side) and this works fine as dialup.

Terms & ConditionsAccessibility statement