The interface index is used in the sessions list (diagnose system session list) to understand the interface used by the sessions:
Example:
orgin->sink: org out->post, reply pre->in dev=13->0/0->13
When a tunnel does not have an interface IP, the interface index is not referred to in the diagnose ip address list output.
An IPSec tunnel on FortiGate can be created for these scenarios:
BGP on overlay - Tunnels have an interface IP. BGP on loopback - Tunnels do not have an interface IP. Dynamic BGP using BGP on overlay - Tunnels have an interface IP. Dynamic BGP using BGP on loopback - Tunnels do not have an interface IP.
In situations where tunnels have an interface IP, show system interface <tunnel name> will show an IP associated with the tunnel
Example:
Spoke1 # show system interface hub1-Pri
config system interface
edit "hub1-Pri"
set vdom "root"
set ip 10.250.255.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.250.255.1 255.255.255.0
set snmp-index 8
set interface "port2"
next
end
To find the interface index for a tunnel with an interface IP, the diagnose ip address list command can be used:
Spoke1 # diagnose ip address list | grep hub1-Pri
IP=10.250.255.2->10.250.255.2/255.255.255.255 index=14 devname=hub1-Pri
When a tunnel does not have an IP, IP will not be seen in the system interface command, and the interface index will not be listed in the diagnose ip address list:
Spoke1 # show system interface hub1-Pri
config system interface
edit "hub1-Pri"
set vdom "root"
set allowaccess ping
set type tunnel
set snmp-index 8
set interface "port2"
next
end
Spoke1 # diagnose ip address list | grep hub1-Pri
For such cases, the interface index can be found under kernel routes:
Spoke1 # get router info kernel | grep hub1-Pri
tab=65534 vf=0 vrf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.250.255.1/32 pref=0.0.0.0 gwy=20.0.0.1 dev=14(hub1-Pri)
gwy=20.0.0.1 flag=04 hops=0 oif=14(hub1-Pri)
gwy=20.0.0.1 flag=04 hops=0 oif=14(hub1-Pri)
| 
