SSTP issues

JacobRush · March 22, 2011, 10:04pm

First off hopefully this is in the right place. SSTP is 5.0 only as far as I know so I figured this would be the most likely place to get a response.

I have 3 routers on the bench right now trying to get SSTP tunnels up and passing traffic.

192.168.0.207/24                                        192.168.4.207
     Router1                       Router2                    Router3
192.168.254.21/24            192.168.254.20/24           192.168.254.24/24
          |                            |                          |
           ---------------------------------------------------------
                   SSTP Tunnel1                SSTP Tunnel2

I’ve followed along the instructions here:
http://wiki.mikrotik.com/wiki/SSTP

I have tunnels that come up and connect but I cannot ping from the subnet behind Router1 (0.0/24) to the subnet behind Router3 (4.0/24)

In fact when I try I dont see any traffic happening on the SSTP tunnel with torch.

When the tunnel is not active (I disable it) I can ping from 192.168.254.21 → 192.168.254.20.

I have no firewall rules in place at all on any of these routers. So I don’t think thats it..

mrz · March 23, 2011, 6:40am

Each router should know how to reach remote networks, so you need to set up routing correctly.

JacobRush · March 23, 2011, 9:57pm

That was my first thought but I think routing is setup correctly.

Router1:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.254.20 1
1 ADC 192.168.0.0/24 192.168.0.216 ether3-inside 0
2 ADC 192.168.254.0/24 192.168.254.21 outside-bridge 0
3 ADC 192.168.254.20/32 192.158.254.21 sstp-out1 0

Router2:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADC 192.158.254.21/32 192.168.254.20 0
1 ADS 192.168.0.0/24 192.168.254.21 1
2 ADS 192.168.4.0/24 192.168.254.24 1
3 ADC 192.168.254.0/24 192.168.254.20 bridge1 0
4 ADC 192.168.254.24/32 192.168.254.20 0

Router3:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.254.20 1
1 ADC 192.168.4.0/24 192.168.4.207 ether3-inside 0
2 ADC 192.168.254.0/24 192.168.254.24 bridge-outside 0
3 ADC 192.168.254.20/32 192.168.254.24 sstp-out1 0

And just for fun the SSTP config:

Router1:
0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled
connect-to=192.168.254.20:443 http-proxy=0.0.0.0:443 certificate=Holcomb
verify-server-certificate=no user="holcomb" password="something"
profile=default-encryption keepalive-timeout=60 add-default-route=yes
dial-on-demand=no authentication=pap,chap,mschap1,mschap2

Router2:
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=server default-profile=
default enabled=yes keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=
disabled port=443 verify-client-certificate=no

/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=
192.168.254.20 name=creston password=something profile=default
remote-address=192.168.254.24 routes="192.168.4.0/24 192.168.254.24 1"
service=any
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 local-address=
192.168.254.20 name=holcomb password=something profile=default
remote-address=192.158.254.21 routes="192.168.0.0/24 192.168.254.21 1"
service=any

Router3:
Flags: X - disabled, R - running
0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled
connect-to=192.168.254.20:443 http-proxy=0.0.0.0:443 certificate
verify-server-certificate=no user="creston" password="something"
profile=default keepalive-timeout=60 add-default-route=yes
dial-on-demand=no authentication=pap,chap,mschap1,mschap2