Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aprilssss
New Contributor

Created on ‎04-07-2025 10:26 AM

Question on 0.0.0.0 gateway over IPsec.

Hello,

Thanks beforehand for any help regarding my question.

 

We have a simple multi-WAN setup where a particular element I cannot fully understand.

Two subnets, e.g. 192.168.0.0/24 and 192.168.1.0/24 managed by our Fortigate firewall, connected to one WAN interface (WAN1.) In the firewall there also is a IPsec connection. We have created policy routes to say that the first network should go out from WAN1 and the second one, through the IPsec connection. 

 

In the IPsec connection, I noticed that the gateway is set to 0.0.0.0/0. Notice that I'm not talking about the destination address in a route. I'm talking, specifically, about the gateway itself. So, how does this make sense? And how is it possible that the setup actually works, taking into account these conditions? 

 

Thanks and have a good day all!

Labels:
120
0 Kudos
1 REPLY 1
atakannatak
Contributor

Created on ‎04-07-2025 11:21 AM Edited on ‎04-07-2025 11:24 AM

Hi @aprilssss ,

 

When you see 0.0.0.0 as the gateway for an IPsec interface, it's not a mistake — it's by design in FortiOS. Here's why:

 

  • IPsec interfaces (specifically route-based VPNs using virtual interfaces) do not require a traditional next-hop gateway in the way physical interfaces like WAN1 or WAN2 do.
  • FortiGate uses the tunnel itself as the "path", and routes are based on the tunnel interface name, not a next-hop IP.
  • Since there's no ARP or neighbor discovery over a VPN tunnel, and since the remote end of the tunnel is not directly reachable via Layer 3, FortiOS sets the gateway as 0.0.0.0.

This is just a placeholder — FortiGate knows to route traffic out via the tunnel based on matching policy routes or regular routes that reference the tunnel interface, not an IP next-hop.

 

If you review the following article, it may help answer your question and provide useful insights.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-route-gateway-address-for-IPsec-poi...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
109
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.