Having weird issue with configuring somewhat basic SSTP VPN connection from client (Windows PC) device to hEX using certificates.
Have created both CA and TLS Server certs, enabled SSTP and allowed 443 port input in FW rules, created according profile and installed CA cert in to Windows Trusted Root Authorities, but getting this error:
At this point I’m not sure, whether its something configuration related on Mikrotik or maybe Windows is being Windows, because in different location everything with the same SSTP configuration works perfectly fine.
Few details, running latest ROS v7.16.1 on both hEX test devices in different locations, different public IP’s and ISP’s - one works, other not.
Let me call it sender and receiver, not nodes. Both nodes will switch roles on sending or receiving.
Likely the MT will have to present its certificate first as sender to Windows as receiver, then the client presents its own certificate, this time as sender to MT as receiver.. In each case, the other node must successfully verify the certificate and chain. Chain verification includes that the other node sends its own certificate and the receiver has the rootCA. There may be intermediate or subordinate CAs, but here it depends on the implementation. You can either import them on the receiver or have the sender send them (typically also by importing them).
In the end, the receiver must be able to verify the senders stuff, then switch roles.
You may be able to test with a packet capture, if it is able to decode the packets, and you may be able to read the certificates. You won’t be able to read the packets themselves, but for example in TLS1_2 or RADIUS EAP you can read certificates very nicely and by doing so, often identify that some intermediate etc. is missing.
