X-SSTP - MikroTik Wiki

Manual:Interface/SSTP - MikroTik Wiki https://wiki.mikrotik.
com/wiki/Manual:Interface/SSTP
From MikroTik Wiki

< Manual:Interface
Secure Socket Tunneling Protocol (SSTP) transports a PPP tunnel over a TLS channel. The use of TLS over TCP
port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
SSTP connection mechanism
1 de 12 18/09/2019 16:43
Manual:Interface/SSTP - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
TCP connection is established from client to server (by default on port 443);
SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn
down. (But see note below)
The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine
on both sides.
PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
SSTP tunnel is now established and packet encapsulation can begin.
Currently, SSTP clients exist in Windows Vista, Windows 7, Windows 8, Linux and RouterOS.
2 de 12 18/09/2019 16:43
To set up a secure SSTP tunnel, certificates are required. On the server, authentication is done only by username and
password, but on the client - the server is authenticated using a server certificate. It is also used by the client to
cryptographically bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP
connection to the server, this value is derived from the key data that is generated during PPP authentication and
server certificate, this allows the server to check if both channels are secure.
If SSTP clients are Windows PCs then only way to set up a secure SSTP tunnel when using self-signed certificate is
by importing the "server" certificate on SSTP server and on the Windows PC adding CA certificate in trusted root (h
ttp://technet.microsoft.com/en-us/library/dd458982.aspx).
Similar configuration on RouterOS client would be to import the CA certificate and enabling verify-server-
certificate option. In this scenario Man-in-the-Middle attacks are not possible.
Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this
case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily
accomplished. This scenario is not compatible with Windows clients.
It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate.
Configuration requirements are:
certificates on both server and client

verification options enabled on server and client
This scenario is also not possible with Windows clients, because there is no way to set up client certificate on
Windows.
Certificate error messages
When ssl handshake fails, you will see one of the following certificate errors:
certificate is not yet valid - notBefore certificate date is after the current time.
certificate has expired - notAfter certificate expiry date is before the current time.
invalid certificate purpose - the supplied certificate cannot be used for the specified purpose.
self signed certificate in chain - the certificate chain could be built up using the untrusted certificates but
the root could not be found locally.
unable to get issuer certificate locally - CA certificate is not imported locally.
server's IP address does not match certificate - server address verification is enabled, but address
provided in certificate does not match server's address.
3 de 12 18/09/2019 16:43
Hostname verification
Server certificate verification is enabled on SSTP client, additionally if IP addresses or DNS name found in
certificate's subjectAltName or common-name then issuer CN will be compared to the real servers address. v5.7
adds new parameter verify-server-address-from-certificate to disable/enable hostname verification.
Properties
4 de 12 18/09/2019 16:43
Quick example
This example demonstrates how to set up SSTP client with username "sstp-test", password "123" and server
10.1.101.1
This sub-menu shows interfaces for each connected SSTP client.
An interface is created for each tunnel established to the given server. There are two types of interfaces in SSTP
server's configuration
Static interfaces are added administratively if there is a need to reference the particular interface name (in
firewall rules or elsewhere) created for the particular user.
Dynamic interfaces are added to this list automatically whenever a user is connected and its username does
not match any existing static entry (or in case the entry is active already, as there can not be two separate
tunnel interfaces referenced by the same name).
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to
reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent
rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.
5 de 12 18/09/2019 16:43
Server configuration
Properties:
6 de 12 18/09/2019 16:43
Monitor command can be used to monitor status of the tunnel on both client and server.
Read-only properties
Connecting Remote Client
The following example shows how to connect a computer to a remote office network over secure SSTP encrypted
7 de 12 18/09/2019 16:43
tunnel giving that computer an IP address from the same network as the remote office has (without the need for
bridging over EoIP tunnels)
Consider following setup:
Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to
the internet and can reach Office router's public IP (in our example it is 192.168.80.1).
Before you begin to configure SSTP you need to create a server certificate and import it into the router (instructions
here).
Now it is time to create a user:
Notice that SSTP local address is the same as the router's address on the local interface and the remote address is
from the same range as the local network (10.1.101.0/24).
Next step is to enable SSTP server and SSTP client on the laptop:
8 de 12 18/09/2019 16:43
Notice that authentication is set to mschap. These are the only authentication options that are valid to establish a
secure tunnel.
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a SSTP client with the software you are using. If you set up
SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root (ht
tp://technet.microsoft.com/en-us/library/dd458982.aspx).
To verify if SSTP client is connected
At this point (when SSTP client is successfully connected) if you try to ping any workstation from the laptop, ping
will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local
interface
After proxy-arp is enabled client can successfully reach all workstations in the local network behind the router.
9 de 12 18/09/2019 16:43
Site-to-Site SSTP
The following is an example of connecting two Intranets using SSTP tunnel over the Internet.
Consider following setup:
Office and Home routers are connected to internet through ether1, workstations and laptops are connected to
ether2. In this example both local networks are routed through SSTP client, thus they are not in the same broadcast
domain. To overcome this problem as with any other ppp tunnel, SSTP also supports BCP which allows it to bridge
SSTP tunnel with a local interface.
First step is to create a user:
Notice that we set up SSTP to add a route whenever the client connects. If this option is not set, then you will need a
static routing configuration on the server to route traffic between sites through the SSTP tunnel.
Now we need to upload and import CA and server/client certificates. Assuming that the files are already uploaded
use following commands:
10 de 12 18/09/2019 16:43
Edit names to something more meaningful:
Do the same on client side, but instead of server's certificate import client's certificate.
Next step is to enable SSTP server on the office router:
Now configure SSTP client on the Home router:
Now we need to add static route on Home router to reach local network behind Office router:
After tunnel is established you should be able to ping remote network.
11 de 12 18/09/2019 16:43
After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?

MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from
RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was
associated with this handle is now associated with a different handle.
Disable verify-client-certificate option on the server.
I get following error "Encryption negotiation rejected”.

Disable use-encryption option in ppp profile.
Creating Certificates
BCP (Bridge Control Protocol)
Microsoft SSTP Remote Access Step-by-Step Guide (http://technet.microsoft.com/en-us/library/cc731352
(WS.10).aspx)
Free trusted Class1 certificates (http://www.startssl.com/) from startssl.com
Free Linux SSTP Client (http://sstp-client.sourceforge.net/)
[ Top | Back to Content ]
Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Interface/SSTP&oldid=33548"
This page was last edited on 20 August 2019, at 14:44.
12 de 12 18/09/2019 16:43

X-SSTP - MikroTik Wiki

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

X-SSTP - MikroTik Wiki

Caricato da

Copyright:

Formati disponibili

Manual:Interface/SSTP - MikroTik Wiki https://wiki.mikrotik.

From MikroTik Wiki

SSTP connection mechanism

certificates on both server and client

Certificate error messages

This sub-menu shows interfaces for each connected SSTP client.

Connecting Remote Client

Consider following setup:

Now it is time to create a user:

To verify if SSTP client is connected

Consider following setup:

First step is to create a user:

Edit names to something more meaningful:

Next step is to enable SSTP server on the office router:

Now configure SSTP client on the Home router:

After tunnel is established you should be able to ping remote network.

After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?

I get following error "Encryption negotiation rejected”.

[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Interface/SSTP&oldid=33548"

This page was last edited on 20 August 2019, at 14:44.

Potrebbero piacerti anche