Skip to main content
aprilssss
aprilssss
New Member
April 7, 2025
Question

Question on 0.0.0.0 gateway over IPsec.

  • April 7, 2025
  • 1 reply
  • 2570 views

Hello,

Thanks beforehand for any help regarding my question.

 

We have a simple multi-WAN setup where a particular element I cannot fully understand.

Two subnets, e.g. 192.168.0.0/24 and 192.168.1.0/24 managed by our Fortigate firewall, connected to one WAN interface (WAN1.) In the firewall there also is a IPsec connection. We have created policy routes to say that the first network should go out from WAN1 and the second one, through the IPsec connection. 

 

In the IPsec connection, I noticed that the gateway is set to 0.0.0.0/0. Notice that I'm not talking about the destination address in a route. I'm talking, specifically, about the gateway itself. So, how does this make sense? And how is it possible that the setup actually works, taking into account these conditions? 

 

Thanks and have a good day all!

1 reply

atakannatak
atakannatak
Explorer
April 7, 2025

Hi @aprilssss ,

 

When you see 0.0.0.0 as the gateway for an IPsec interface, it's not a mistake — it's by design in FortiOS. Here's why:

 

  • IPsec interfaces (specifically route-based VPNs using virtual interfaces) do not require a traditional next-hop gateway in the way physical interfaces like WAN1 or WAN2 do.
  • FortiGate uses the tunnel itself as the "path", and routes are based on the tunnel interface name, not a next-hop IP.
  • Since there's no ARP or neighbor discovery over a VPN tunnel, and since the remote end of the tunnel is not directly reachable via Layer 3, FortiOS sets the gateway as 0.0.0.0.

This is just a placeholder — FortiGate knows to route traffic out via the tunnel based on matching policy routes or regular routes that reference the tunnel interface, not an IP next-hop.

 

If you review the following article, it may help answer your question and provide useful insights.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-route-gateway-address-for-IPsec-point-to/ta-p/254538

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

    Terms & ConditionsAccessibility statement