Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of the c

Can not connect to hap light mikrotik using vpn sstp with certificate? recieve error in windows 8.1 The cn name of the certificate does not match the received value.


the program we take from https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Connecting_Remote_Client

https://wiki.mikrotik.com/wiki/Manual:Create_Certificates

what is wrong in program why vpn sstp does not work,

Generate certificates on RouterOS

/certificate

add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign

add name=server-template common-name=server

add name=client1-template common-name=client1

add name=client2-template common-name=client2

/certificate

sign ca-template ca-crl-host=00.00.00.00 name=myCa

sign server-template ca=myCa name=server

sign client1-template ca=myCa name=client1

sign client2-template ca=myCa name=client2

set myCa trusted=yes

set server trusted=yes

/certificate export-certificate myCa

/certificate export-certificate client1 export-passphrase=xxxxxxxx

/certificate export-certificate client2 export-passphrase=xxxxxxxx

print

to create a user

/ppp secret add name=Laptop service=sstp password=123 local-address=192.168.1.1 \

remote-address=192.168.1.253

/ppp secret print detail

/interface sstp-server server set certificate=server

/interface sstp-server server set enabled=yes

/interface sstp-server server set authentication=mschap2

/interface sstp-server server print

Certificates can be tricky. If you’re connecting to server vpn.someserver.tld, it must have certificate valid for that hostname. If you’re using numeric IP address instead, you also need certificate valid for that address. And issuer of this certificate must be trusted by client.

You can create all certificates yourself, you do not need to buy them from trusted CA. But you still have to make sure that the above is true. So set correct CN for server certificate and import your CA to client as trusted.

i made certificate with command for ip address 23.111.158.13 but it does not work.

Generate certificates on RouterOS

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
/certificate
sign ca-template ca-crl-host=23.111.158.13 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

print

That’s for CRL, you can skip that parameter completely, because it probably won’t be available there anyway. What needs fixing is server certificate, specifically common-name=server. And it can’t hurt if you add subject-alt-name=IP:.

is it right?

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server subject-alt-name = IP: 23.111.158.13
add name=client1-template common-name=client1
add name=client2-template common-name=client2
/certificate
sign ca-template ca-crl-host=23.111.158.13 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

Try also common-name=23.111.158.13 (even though clients should prefer subject-alt-name).

is it right? we receive the same error.


/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=23.53.75.76
add name=client1-template common-name=36.35.35.54
add name=client2-template common-name=192.168.1.251
/certificate
sign ca-template ca-crl-host=23.53.75.76 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

print

to create a user

/ppp secret add name=Laptop service=sstp password=123 local-address=23.53.75.76
remote-address=36.35.35.54
/ppp secret print detail


/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set authentication=mschap2


/interface sstp-server server print

I quick-tested it for you. Client certificate is not supported by Windows SSTP client, so you only need CA and server certificate (“My VPN CA” can be any name you like):

/certificate
add name=ca-template common-name="My VPN CA" key-usage=key-cert-sign,crl-sign
add name=server-template common-name=192.168.80.181 subject-alt-name=IP:192.168.80.181
sign ca-template name="My VPN CA"
sign server-template ca="My VPN CA" name=server
export-certificate "My VPN CA"

It’s better if you have domain and point a hostname to server, to avoid changing everything if the IP address changes. Command for that would be:

add name=server-template common-name=vpn.youdomain.tld subject-alt-name=DNS:vpn.youdomain.tld

But if you don’t have any, IP address can work too.

Simple server config:

/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ppp secret
add local-address=10.1.101.1 name=test password=123 remote-address=10.1.101.100 service=sstp

Then take exported CA certificate (cert_export_My VPN CA.crt), copy it to Windows and import it as trusted root certificate into computer’s (not user’s) certificate store. Add new VPN connection, select SSTP as type and 192.168.80.181 or vpn.youdomain.tld as address to connect to. And that’s all, works great here.

Of course use your addresses instead of mine, 192.168.80.181 is server address, 10.1.101.x are addresses used inside tunnel.

instead of this line
add name=server-template common-name=23.53.75.76
i need to use this line
add name=server-template common-name=192.162.0.1
beacause it is used by mikrotik router inside network
is it wrong to use 23.53.75.76 in this place?
will it work with add name=server-template common-name=23.53.75.76 or not?

You need to get certificate verification right. So what address the client will be connecting to, that one needs to be in certificate. Or forget numeric addresses and use hostname, even DDNS from RouterOS (IP->Cloud) would work.

when connecting vpn from windows 7 to mirotik hap lite route we recieve Error 0x8007274C in windows 7? How do we solve it?

It’s not like anyone remembers what all possible error codes mean (apologies to anyone who does, if such person exists). What I do is asking Google, in this case 0x8007274C and SSTP would be good keywords. I usually find mostly other people with the same problem, but if I’m lucky, I eventually find the solution too. Keep your eyes open, it’s not always obvious, and it sometimes involves testing several dead ends. It’s also the reason why it’s difficult to find the answer for someone else, because without having the error myself, I can’t easily decide what’s the solution and what isn’t.

from local windows from 192.168.1.253 we can connect but from address from internet we cannot why?

why it is not working?

When connecting from internet, it doesn’t work with:

a) Only Windows 7 device(s), others work correctly
b) All devices (or this one with Windows 7 was the only one you really tried)

?

If it’s b), then check the basics, if the connectivity works at all, you have correctly configured firewall, etc. If it’s a), it will be more difficult.

@Sob, I think the answer is in this other topic created by the author of this thread: http://forum.mikrotik.com/t/how-do-i-solve-error-0x8007274c-in-windows-7-when-connecting-vpn-from-windows-7-to-mirotik-hap-lite-router/132923/1

from windows 10 everything working inside from ip 192.168.1.253

Inside doesn’t matter (much). It’s like saying that you can get in fridge when you’re in house, but you can’t get in fridge when you’re outside and house is locked. It’s two different things.