IPsec VPNs ALWAYS route hop through DMZ interface IP address?

Fortigate firewall : 60D - Wifi

Firmware Version : v5.2.3,build670 (GA)

Operation Mode :  NAT

Ipsec vpn Client DHCP range : 192.168.60.10-192.168.60.20

VPN only can access the NAS,  IP:192.168.10.70

Symptom

When Client established the VPN connection and trying trace route to 192.168.10.70.

The first hop is ALWAYS the IP address of the FortiGate' s DMZ interface, even though I have the FortiGate' s DMZ interface administratively down.

When I change the DMZ IP and trace route again , the first hop IP will be change accordingly 

When i change the DMZ IP to 0.0.0.0/0.0.0.0 , the first hop IP will be change to WAN-1 IP (External IP for Internet)

Why the first hop is not the gateware IP address ? how can i fix this problem ?

thanks 

Ringo