ROS SSTP Client to SoftEther SSTP Server

moog · January 15, 2014, 4:33pm

Hi,

I’m trying to get a VPN working where both ends are behind a NAT.

I’ve got a VPS in the cloud that is acting as a bridge, running SoftEther VPN

Only thing is I can’t get SSTP working, I can see incomming connections but both ends just seem to fail.

The logging in ROS is poor and gives little information as to why it is failing, any way to increase sstp log output?

I don’t think NAT is the cause. I’ve also tried just connecting to a local Linux box and get the same result.

Certs are self signed using easy-rsa. I’ve also tried StartSSL with the same result.

user19 · February 1, 2014, 2:24am

I’m trying to set up prety much the same scenario, i haven’t been able to connect a mikrotik client to softether Ovpn or Sstp Server.

I think we need a little bit of help here.

PtDragon · May 11, 2015, 1:52pm

I was able to do it but there are huge speed problems in SSTP on MikroTik.
You need to import certificate and disable checks.
On dial out tab remove checks in checkboxes and give proper certificate.

PtDragon · May 11, 2015, 1:55pm

logging is really detailed if you add topic you wish in system->logging.

Rivera · May 15, 2015, 3:12pm

I have a ticket running with MT support. They’re investigating my configuration.

SSTP SoftEther<---->Mikrotik will drop connections right now at random.
Have not tried ovpn…

In the meantime, you can use L2TP/IPSec, it’s pretty solid and stable…

Configuration on SE Server is pretty straightforward, just enable L2TP/IPSec function and create user on virtual hub.

If you can, avoid SecureNAT and use standard linux bridging/forwarding, SecureNAT is way more slower. You will also need DHCP server in case of bridging, i use dnsmasq for example.

IPSec configuration:

/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=outer-vpn pfs-group=none
/ip ipsec peer
add address=$SERVER_IP/32 comment="Peer" enc-algorithm=aes-256 secret=$PASSWORD
/ip ipsec policy
add comment=my-awesome-vpn-provider dst-address=$SERVER_IP/32 proposal=outer-vpn protocol=udp sa-dst-address=$SERVER_IP sa-src-address=$LOCAL_EXTERNAL_IP src-address=\
    $LOCAL_EXTERNAL_IP/32

L2TP Client config:

/interface l2tp-client
add allow=mschap2 comment="IPSec/L2TP vpn" connect-to=$SERVER_IP disabled=no mrru=1600 name=l2tp-out-vpn password=$PASSWORD profile=\
    outer-vpn user=$USER

To verify things, open status of your l2tp-out-vpn connection. You should see “cbc(aes) + hmac(sha1)” in connection status.

Or, alternatively, disable IPSec peer and policy, disconnect l2tp interface, and try to reconnect. Connection SHOULD NOT work with disabled IPSec (L2TP does not provide any encryption/security, should be avoided unless you really doesn’t need it)

Oh, and don’t forget to masquerade l2tp interface. Good luck!