Technical Tip: IPsec VPN route shows a different gateway IP than a remote IP address

This article describes why customers see a different gateway IP when the next hop is the VPN tunnel interface under Dashboard -> Network -> Static Routes GUI console.

FortiGate, FortiOS 7.0.

In FortiOS 7.0 firmware, IPsec routes are linked to the tunnels by the tunnel IDs, replacing the need to have a route tree in the IPsec tunnel list for selecting tunnels by next hop when net-device is disabled.

Consequently, the tunnel search option in phase1 is removed, because tunnels are now clearly identified by the tunnel ID and referenced in the routing table.

In 6.4:

The next hop is VPN tunnel interface, and the gateway IP address is the remote IP address.

In 7.0:

The next hop is VPN tunnel interface, and the gateway IP address shows the tunnel ID.

To identify the VPN tunnel id.

diagnose vpn tunnel list | grep tun_id

Related documents:

Technical Tip: IPsec Tunnel ID expected behavior.

Dedicated tunnel ID for IPsec tunnels - FortiGate documentation.