Hi.
I have ip address of SSTP server (Zyxel keenetic), login and password for SSTP VPN CLIENT.
Windows client can connect without problem.(without special certificate and etc.), but mikrotik sstp client doesn’t want to work.
13:28:54 sstp,ppp,debug Human: LCP lowerdown
13:28:54 sstp,ppp,debug Human: LCP down event in initial state
13:28:54 sstp,ppp,info Human: disconnected
13:28:55 sstp,ppp,info Human: initializing…
13:28:55 sstp,ppp,info Human: connecting…
13:28:55 sstp,ppp,debug Human: CCP close
13:28:55 sstp,ppp,debug Human: BCP close
13:28:55 sstp,ppp,debug Human: IPCP close
13:28:55 sstp,ppp,debug Human: IPV6CP close
13:28:55 sstp,ppp,debug Human: MPLSCP close
13:28:55 sstp,ppp,info Human: terminating… - handshake failed: error 14077410 (6)
name: Human
max-mtu: 1500
max-mru: 1500
mrru: 1600
connect-to: x.x.x.x:443
http-proxy: 0.0.0.0:443
certificate: none
verify-server-certificate: no
verify-server-address-from-certificate: yes
user: login
password: pass
profile: SSTP
keepalive-timeout: 60
add-default-route: no
dial-on-demand: no
authentication: chap,mschap2
pfs: no
tls-version: any
I’m sorry for the importunity, I’m just missing something.
If the windows client does not know which certificate is on the server side, but it generates some certificate and everything works, then I can generate it in the same way for the mikrotik sstp client.
I understand correctly?
There’s server certificate and client certificate. Server certificate is required, client certificate for SSTP is AFAIK only MikroTik’s speciality and not used otherwise. Server must have its own if it works with Windows clients and you don’t have client certificate here, which is correct.
I asked Google about error 14077410 and I’m too lazy to read too much about it, but maybe it’s something about old protocol, so try to set tls-version=only-1.2. If it doesn’t help, try to find more what exactly that error means.
Even if it does help, you should import CA certificate, that issued server certificate, to router and use verify-server-certificate=yes, because without it the connection is open to MITM attacks.
It’s still the same, if you need to import some certificate in Windows, it’s when you have RouterOS as SSTP server with self-signed certificate, and Windows client wouldn’t trust it unless you add it as trusted.
t turns out strange.
A Windows client can connect without importing a certificate, but the SSTP client of mikrotik, using the same technology, cannot.
Of course I will ask for a certificate, they will provide it to me (it takes time), but I thought that Mikrotik had no less opportunities.
Windows, unlike RouterOS, have long built-in list of trusted CAs. So if client verifies server certificate (which it should), it just works. To have the same in RouterOS, you need to import CA certificate. But it shouldn’t be the problem right now, if you have verify-server-certificate=no.
