This article describes how to import an SCEP certificate when the server is accessible across an IPsec tunnel when the local traffic is not routed through the IPsec tunnel.
Scope
FortiGate v7.x.x,
Solution
Topology:
Window SCEP server (10.0.0.5) —-FGT-1===IPsec tunnel ===FGT-2 (mgmt. IP: 192.168.1.1)
When the Windows SCEP server is placed on the other side of the tunnel, the CLI configuration is required to enable SCEP services to send local traffic across the tunnel.
In this scenario, the FortiGate CLI requires the following command:
execute vpn certificate ca import auto <CA server URL/IP> <CA Identifier (optional) > <Source-IP to the CA server> <fingerprint> <----- Auto: Import CA certificate via SCEP.
For Example:
execute vpn certificate ca import auto 10.0.0.5 0 192.168.1.1 0