I tried for about an hour last night to get a backup CCR running - for those “just in case” times. Same make and model as the first one.
I loaded the backup file on the second router - but SSTP VPN users could not connect.
Can anyone lay out specific steps to do this properly? I do not want to replace the certificate as then I would have to distribute it to everyone, as well as travel to the remote routers set up for point to point VPN.
I’ve seen some information here but a couple years old - and could not get it to go.
I have a CA, Server and Key file.
– EDIT –
In my continued searches, I just found this for OVPN which I can try. Of course, to try it and verify it, I need to move the WAN cable from current router to backup. http://forum.mikrotik.com/t/ovpn-server-failover/144635/2
Can anyone else confirm this should work for SSTP?
the backup files are not intended to be restored on other devices, even if the same model running the same firmware, as the backup contains also MAC addresses (which normally should not be cloned) and possibly some other stuff (which may theoretically ruin some calibration).
the certificates in particular are somehow linked to the board serial number, hence they don’t work if restored from the backup on a board with another serial number.
Yes, certificate export and import is the same no matter the service you use them for.
A separate export and import of the certificate(s) according to the link will work. The binding between the certificate and the serial number exists internally, but an exported certificate doesn’t contain any reference to the serial number, so it can be imported anywhere (even to something else than Mikrotik).
The correct way is to use a configuration export (which is actually a script), and edit it before running it on the destination machine. Typically, you remove any manual settings of MAC addresses in bridge configurations, add :delay 1m as the very first line, place the edited file to the destination device to a place where it can survive a reboot (which is flash/ on some devices), and then run /system reset-configuration keep-users=yes run-after-reset=the-modified-export.rsc. Certificates must be exported and imported separately. I don’t know a way to import own certificates automatically, as the private key for a certificate is only exported if you enter the passphrase, and the passphrase for import must be provided manually.
According to manual, other same model devices are supported:
RouterOS backup feature allows you to save your current device’s configuration, which then can be re-applied on the same or a different device (with the same model name/number). This is very useful since it allows you to effortlessly restore device’s configurations or to re-apply the same configuration on a backup device. System’s backup file also contain the device’s MAC addresses, which are also restored when the backup file is loaded.
So if it doesn’t restore fully working certificates, you can report it as bug.
Personally I just use exports and have the missing stuff separately. Basically it means to not use RouterOS to create certificates.