Connecting SSTP Client and SSTP Server on MT

Hello,
first time writer, long time reader.

In Short:

I would like to ROUTE two networks “172.17.0.0/16” and “172.16.0.0/16”, so that i can reach 172.16.0.0/16 and his clients from 172.17.0.0/16 and wise versa.

172.17.1.1 (Network: 172.17.0.0/16) MT-CHR
Network 172.17.0.0/16 with DHCP-Server on “management” bridge.
172.16.1.1 (Network: 172.16.0.0/16) SOFTETHER-SSTP-Server
Network 172.16.0.0/16 as SSTP-Client in SSTP-Connection to SOFTETHER-SSTP-Server

172.16.16.236 GW: 172.16.1.1 MT-CHR SSTP Client to SOFTETHER-SSTP-Server

In Long:
I have a Network of MT-Routers, which are connected via SSTP to a central MT-CHR. The SSTP Client and Server both use a PPP Profile, to add the SSTP-Connection into a “management” bridge. This bridge runs a DHCP-Server with a 172.17.0.0/16 Network, where the MT-CHR is 172.17.1.1. All connected SSTP-Clients and their connected devices get IP Adresses from 172.17.0.0/16.

[ MT-CHR 172.17.1.1 > 172.17.0.0/16 management bridge ] SSTP-Server ======== SSTP-Client [ MT , 172.17.0.0/16 ] ======== [ MT-DEVICE 172.17.0.0/16 ]

Secondly, the MT-CHR (172.17.1.1) is connected to a softether-VPN Network via SSTP again. We connect to the SSTP, where the softether-VPN-Server has the ip 172.16.1.1 and offers ips from 172.16.0.0/16. Our MT-CHR gets 172.16.16.236 as Client IP on his SSTP-Client connection.

[MT-CHR 172.16.0.0/16] SSTP-CLIENT ============== SSTP-SERVER [SOFTETHER, 172.16.1.1] ============ [ SE-DEVICE 172.16.0.0/16]

I want to be able to send packets from 172.16.0.0/16 to 172.17.0.0/16 and wise versa. In other words make connections from MT-DEVICE to SE-DEVICE.

If any more information are necessary to help me out or anything is unclear, please give me a hint.

Your best bet is to find an existing similar thread here on the forums or go look for the closest type of VPN youtube video that is recent enough. I am illiterate and thus find the wiki to be a mangled mess of instructions, that I would use as a weapon to confuse my enemies in wartime, or if in print, as toilet paper if I was really really desperate.

Here is an example of a really good IOS IKEv2 link… Hopefully you can find the same for SSTP.
I am not saying do not use the WIKI but its not necessarily the easiest thing to read or make sense of. Written by coders for coders/trained IT managers and not peasants like me.
https://jcutrer.com/howto/networking/mikrotik/ios-ikev2-vpn-mikrotik

Your post leaves many unanswered questions, so I’m making a lot of assumptions. I’ll start with the basics, and that this is mostly a guess.

To summarize: Your SSTP clients in 172.17.0.0/16 connect to MT-CHR (internal IP: 172.17.1.1/16). Then MT-CHR (external SSTP IP: 172.16.16.236) connects as an SSTP client to 172.16.1.1/16.

Based on the provided info, your MT-CHR might need a route to 172.16.0.0/16 (add dst-address=172.16.0.0/16 gateway=172.16.1.1) or it may already have it (or a default route). The upstream SSTP server at 172.16.1.1 probably needs a route to 172.17.0.0/16 (add dst-address=172.17.0.0/16 gateway=172.16.16.236).

To give you a better understanding, i added the config export.

/interface bridge
add name=management
/ip pool
add name=dhcp_pool1 ranges=172.17.10.1-172.17.255.255
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=management lease-script=\
    ":log info \"lease issued\"" name=dhcp1
/ppp profile
add bridge=management change-tcp-mss=yes dns-server=172.17.1.1 name=SSTP-VPN \
    on-down=":log info \"message\"" on-up=":log info \"message\"" only-one=yes \
    use-encryption=required use-mpls=yes
add bridge=management change-tcp-mss=yes dns-server=172.16.1.1 name=\
    SSTP-ADMIN-CLIENT only-one=yes use-encryption=required use-mpls=yes
set *FFFFFFFE bridge=management only-one=yes use-mpls=yes

/interface sstp-client
add connect-to=luwin.ms.digital disabled=no name=softether password=\
    SECUREPW profile=default-encryption user=client1

/ip neighbor discovery-settings
set discover-interface-list=all

/interface sstp-server server
set authentication=mschap2 certificate=SSTP-Server default-profile=SSTP-VPN \
    enabled=yes

/ip address
add address=172.17.1.1/16 interface=management network=172.17.0.0
add address=172.16.16.236/16 interface=softether network=172.16.0.0

/ip dhcp-client
add disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether2

/ip dhcp-server network
add address=172.17.0.0/16 gateway=172.17.1.1

/ip dns
set servers=8.8.8.8

/ip firewall filter
add action=accept chain=input

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat dst-address=172.16.0.0/16 out-interface=\
    softether src-address=172.17.0.0/16

/ppp secret
add name=client1 password=SECRETPW profile=SSTP-VPN service=sstp
add name=client2 password=SECRETPW profile=SSTP-ADMIN-CLIENT service=sstp

There is a dynamic route added for Dst.Address=172.16.0.0/16 Gateway=softether with Pref.Source=172.16.16.236. I now added a static route to the sofether as you described.

NOTE: The ip has changed from 172.16.16.236 to 172.16.6.34

root@luwin ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         136.243.136.193 0.0.0.0         UG    0      0        0 enp0s31f6
172.16.0.0      172.16.1.1      255.255.0.0     UG    0      0        0 tap_vpn_bridge
172.17.0.0      172.16.6.34     255.255.0.0     UG    0      0        0 tap_vpn_bridge
root@luwin ~ # ping 172.16.6.34
PING 172.16.6.34 (172.16.6.34) 56(84) bytes of data.
64 bytes from 172.16.6.34: icmp_seq=1 ttl=64 time=6.16 ms
64 bytes from 172.16.6.34: icmp_seq=2 ttl=64 time=6.09 ms
^C
--- 172.16.6.34 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 6.099/6.131/6.164/0.084 ms
root@luwin ~ # ping 172.17.1.1
PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data.
^C
--- 172.17.1.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3055ms

No luck though. Any suggestions how to debug the packet routes and where there is no connection?

My analysis if the route is working, is /tool ping with dst.address=172.16.1.1 and interface=management.

Funny

Your MT-DEVICE with IP of 172.17.1.x doesn’t know where the 172.16.0.0/16 network is. The MT-DEVICES need a route that says to forward 172.16.0.0/24 to

Your SE-DEVICE with IP of 172.16.1.1 doesn’t know where the 172.17.0.0/16 is. The SE-DEVICE needs a route to send 172.17 packets to 172.16.16.236. I’m not familiar with SoftEther, hopefully you can reserve IPs for clients based on IP? For example, if the SE-DEVICE was a Mikrotik, you’d create an SSTP-Server-interface for a given username, then route based on that interface.

Tools > Torch is a good tool for following packets. Without the above routes, you’d probably notice the packets destined to 172.16.0.0/24 on the MT-DEVICE is being routed to the interenet instead of over your SSTP VPN.

I tinkered with the Softether L3 capabilities, since on a regular basis it will establish a L2 vpn. I saw that you can assign interfaces and routes to it.

I try to add an interface to the SoftEther vpn, assign it to a client and add a route to it.

Question: I feel that in general in MT it should be possible to add a route for 172.16.0.0/16 with gw so that packets would be routed over it. But with /tool torch i dont observe this behavior. Should i add a firewall rule to forward 172.16.0.0 to ? If yes, how?

I simplified it even more. I now have a hEX PoE, where i created two bridges:

• SOFTETHER with ip 172.16.1.1/16 and DHCP-Server for 172.16.0.0/16 with GW 172.16.1.1
• MT-CHR with ip 172.17.1.1/16 and DHCP-Server for 172.17.0.0/16 with GW 172.17.1.1

I then added

• ether4 to SOFTETHER bridge as port
• ether5 to MT-CHR bridge as port

When I connect clients to each ETHERNET-INTERFACE:

• ether4 SOFTETHER-CLIENT with ip 172.16.255.255
• ether5 MT-CHR-CLIENT with ip 172.17.255.255

My Question: What do i have to to, so that MT-CHR-CLIENT 172.17.255.255 will be able to establish any connection with SOFTETHER-CLIENT 172.16.255.255