I have a RB433A device with RouterOS 5.11. I have been running SSTP (with RADIUS auth) successfully for a while now, everything was OK until recently, when my wife (we both have Windows 7) could not establish SSTP VPN any more. She would get the error, shown in this screenshot:
Capture2.PNG [ 34.66 KiB | Viewed 3941 times ]
On RB433A, the this error is shown in the debug sstp log:
Capture.JPG [ 68.43 KiB | Viewed 3941 times ]
For me, SSTP is established fine. 2 other remote workers also have the same problem as my wife (we all use Windows 7). The certificate is valid for another month or so. My wife and I establish VPN from the same local network over the internet to the RB433A device.
Any ideas? I Wiresharked both TCP sessions of connection establishment, however the SSL error is sent encrypted back from the server, so I can't read it. Perhaps I'll try with ssldump to see what actually is sent over by the server to the failing clients.
However, can anybody help me with the "recvd too small packet" error?
I confirming, that source of troubles is MS Patch KB2585542.
When i uninstall this patch, Mikrotik SSTP works great.
After that, i install this patch again, and try to add registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord - 2). Well, Mikrotik SSTP vpn works again great.
Registry fix did not solve the problem for my user who upgraded to windows 8.1. I guess there is something more that has to be fixed when using radius for authentication? (pptp also fail to authenticate using radius, and the router never send auth-packets to the radius server, neigther for pptp nor sstp. Both pptp and sstp works with radius when client is win7/win8.0)
A little update here as the registerfix didn't work for one of my users. The next time I had the users pc on my hands I searched through the registry for keys named "SCHANNEL" and added the key value to all the hits I got. That solved the problem. The search got 4-5 hits. I don't know which key did the trick.
I can confirm that the registry change worked for me as well - a first time setup with a test user (Win8.1).
I will read up on the links you all so kindly passed on in the thread, but perhaps someone could share their opinion on the implications of making the required change to the registry (i.e Beast vuln?). Also, has the change to other TLS version made its way into the product's roadmap?
On a separate note, how do I enable the debug logging for sstp connections as seen in the original post?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum