Mikrotik 6.31 SSTP VPN Server - connection with Windows 7 error 619

RouterOS General
1

Hello,

As in subject - I have some problem with this connection. Everything is OK, but after user authentication Windows is throwing at me error 619, and logs in Mikrotik looks as follow:

12:27:14 sstp,ppp,debug,packet  <sstp-testsstp>: sent CHAP Success id=0x1 
12:27:14 sstp,ppp,debug,packet     S=E67149462C6102307139E7F038D239C24CC7DB92 
12:27:14 sstp,ppp,debug,packet  <sstp-testsstp>: sent CBCP CallbackReq id=0x0 
12:27:14 sstp,ppp,debug,packet      01 02 
12:27:14 sstp,packet <sstp-testsstp> recv control packet type: connected 
12:27:14 sstp,packet 10 01 00 70 00 04 00 01 00 03 00 68 00 00 00 02  
12:27:14 sstp,packet de 60 5d 69 a8 3e f8 ef 7a 96 25 d4 78 3b b2 a6  
12:27:14 sstp,packet db 66 e1 c6 4d d8 95 27 75 da e3 33 4d 8c 0b 2b  
12:27:14 sstp,packet f2 e4 49 10 06 0c 04 61 6b ee b4 57 18 7f e2 ae  
12:27:14 sstp,packet 9f 1b db 4a aa af c2 bc 0c 07 e8 aa b0 2b fd d3  
12:27:14 sstp,packet c1 cd bf a0 e9 61 eb 75 8c 72 cf 27 1a 7f 6e 57  
12:27:14 sstp,packet d8 a6 3f 91 8c 29 b2 db f4 6f bf 2c c0 a0 af ea  
12:27:14 sstp,packet <sstp-testsstp> sent control packet type: abort 
12:27:14 sstp,packet 10 01 00 14 00 05 00 01 00 02 00 0c 00 00 00 03  
12:27:14 sstp,packet 00 00 00 0b  
12:27:14 sstp,ppp,debug <sstp-testsstp>: LCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: LCP closed 
12:27:14 sstp,ppp,debug <sstp-testsstp>: CCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: CCP down event in initial state 
12:27:14 sstp,ppp,debug <sstp-testsstp>: BCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: BCP down event in initial state 
12:27:14 sstp,ppp,debug <sstp-testsstp>: IPCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: IPCP down event in initial state 
12:27:14 sstp,ppp,debug <sstp-testsstp>: IPV6CP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: IPV6CP down event in initial state 
12:27:14 sstp,ppp,debug <sstp-testsstp>: MPLSCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: MPLSCP down event in initial state 
[b]12:27:14 sstp,ppp,info <sstp-testsstp>: terminating... - cert hash not matching [/b]
12:27:14 sstp,ppp,debug <sstp-testsstp>: LCP lowerdown 
12:27:14 sstp,ppp,debug <sstp-testsstp>: LCP down event in starting state 
12:27:14 sstp,ppp,info,account testsstp logged out, 1 0 0 0 0 
12:27:14 sstp,ppp,info <sstp-testsstp>: disconnected

Of course I installed CA cert in local computer trusted root ca on Windows client.

What is the matter? Can anyone help ?

2

Things to check:

– In PPP > Interfaces > SSTP Server, enable mschap2 for auth, apparently Win 7 doesn’t support mschap1 anymore.

– In PPP > Profiles, edit the profile you’re using. Is it giving out IPs from an IP pool? However this would cause error 720 on a windows machine.

For my profile, I’m using: MPLS:Default, UseCompression:default, Use VJ Compression:Default, UseEncryption:yes

– On Win 7, did you install the CA certificate into the MACHINE store? By default it installs to the user profile which is not valid as an SSTP vpn operates at the machine level. When importing the cert, select “Place all certicates in the following store”, then on the next dialog, select “Show Physical Stores”. Select Trusted Root Cert Authorities → Local Computer

  • On Win 7, don’t specify a client side cert.

– In PPP > Secrets, edit your secret. Service needs to say either SSTP or ANY

– Is your network using IPv6? If not, disable the protocol on the VPN interface in windows (properties > Networking, uncheck IPv6)

3

Hi,

Thank You very much for any suggestions; my answers below:

– In PPP > Interfaces > SSTP Server, enable mschap2 for auth, apparently Win 7 doesn’t support mschap1 anymore.

I have only MSCHAP2 selected, as in Win7 VPN connection config.

– In PPP > Profiles, edit the profile you’re using. Is it giving out IPs from an IP pool? However this would cause error 720 on a windows machine.

My SSTP profile is using static address as ‘local address’ and dhcp pool as ‘remote address’.

For my profile, I’m using: MPLS:Default, UseCompression:default, Use VJ Compression:Default, UseEncryption:yes

My profile: MPLS: default, Use Compression: default, Use Encryption: required, Change TCP MSS: default ; I don’t know option ‘Use VJ Compression’ - where and what is it ?

– On Win 7, did you install the CA certificate into the MACHINE store? By default it installs to the user profile which is not valid as an SSTP vpn operates at the machine level. When importing the cert, select “Place all certicates in the following store”, then on the next dialog, select “Show Physical Stores”. Select Trusted Root Cert Authorities → Local Computer

Yes, in local machine store.

  • On Win 7, don’t specify a client side cert.

I don’t specify that, only MSCHAP2.

– In PPP > Secrets, edit your secret. Service needs to say either SSTP or ANY

In ‘Service’ I have selected SSTP.

– Is your network using IPv6? If not, disable the protocol on the VPN interface in windows (properties > Networking, uncheck IPv6)

Not using IPv6 → disabled it on VPN connection in Windows → no change.

Maybe this piece of log would be of some information regarding the cause of my problems:

12:27:14 sstp,ppp,info : terminating… - cert hash not matching

4

I can’t find info on “cert hash not matching” and can’t reproduce error 619 on a Windows VPN. I tried various misconfigurations and windows gave me descriptive error messages.

I think error 619 means there was an error in the connection protocol (vs a negotiation error). Could be a bug in the Routerboard firmware. You could downgrade the firmware to test, or try from another PC.

Sorry I don’t have any more ideas to test.

5

Send a supout file to support.

6

I have the same problem “cert hash not matching”, i’m using wildcard cert on my MT 6.32.1
I sent my supout file to you.

\EDIT

I downloaded and installed packages for 6.32.1 again from winbox ( Check for Updates - Download and Install) and now SSTP established connection correctly.