SSTP VPN on ROS and Windows 7 build-in client

th0massin0 · June 10, 2016, 1:36pm

Hello!
I have a problem with SSTP VPN on ROS and SSTP client, after certificate generation and import to trusted root, when I try to connect I have and error: 0x800B010F
The certificate’s CN name does not match the passed value.
My CA cert have CN name that is equal to domain address of my ROS. I’ve tryied with IP address and domain name - without success.
To generate that certs I’ve used build in ROS tools and after EasyRSA3 scripts - without success.

Communication ROS - ROS is working, Win7 SP1 to ROS is not.
Please help

mrz · June 10, 2016, 1:40pm

CN name must match address or DNS name that you enter as connect-to address on the client.

th0massin0 · June 10, 2016, 9:58pm

Edit: Bellow I post tested, configuration, that works for further purposes:

/certificate
add name=CA common-name="CA" key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=4096
sign CA ca-crl-host=<ros.public.ip>

add name=SVR common-name="SVR" subject-alt-name=DNS:<ros.domain.name> key-usage=digital-signature,key-encipherment,data-encipherment days-valid=3650 key-size=4096
sign SVR ca=CA

set trusted=yes SVR

/interface sstp-server server set default-profile=default-encryption authentication=mschap2 certificate=CA verify-client-certificate=no force-aes=yes pfs=yes enabled=yes

If we don’t care about non-ROS clients and need more security, we can set verify-client-certificate=yes and generate client cert, lets say usrX:

/certificate
add name=usrX common-name="usrX" key-usage=digital-signature,key-encipherment,data-encipherment days-valid=3650 key-size=4096
sign usrX ca=CA

set trusted=yes usrX
export-certificate usrX export-passphrase=<that.secret.password>

As mentioned in mt wiki, the option: verify-client-certificate is combatibile only with ROS, when it’s enabled, we can revoke every single certificate (like usrX), but this breaks compatibility with non-ROS clients.

For courious people: Ubuntu SSTP client install, in terminal:

sudo su
add-apt-repository ppa:eivnaes/network-manager-sstp
apt-get install sstp-client

..after all the SSTP connection will be able to configure from Network Manager

mrz · June 13, 2016, 9:46am

when “verify-client-certificate” option is enabled:

Windows 10 (10.0.10240) build-in client is unable to connect;

[size]

Please read documentation more carefully. “verify-client-certificate” widows does not support this option, it is RouterOS feature only.
[/size]

th0massin0 · June 13, 2016, 10:40am

Dear mrz, thank you very much for your time and patience!
Tell me please, if it’s possible to block incomming VPN connection from Windows client when the client certificate is revocated without enabling verify-client-certificate ??
I am trying to use CRL ( http://forum.mikrotik.com/t/self-signed-certificates-and-crl/98965/1 ), but without success. RouterOS can create CRL available for public?

mrz · June 13, 2016, 12:28pm

There is no such thing as “client certificate” in windows implementation of SSTP. You import CA to trusted root on windows client, then when client tries to establish connection server sends server certificate which then is verified by imported CA. Client verification is not possible. (Maybe it was changed in latest windows10 updates, haven’t checked it yet).

th0massin0 · June 13, 2016, 1:09pm

Allright, thanks, tell me please the last thing: We are talking about self cigned CA all the time.
Is it possible to auto-generate crl list from RouterOS in form understable to Windows?
If I think right, the ca-crl-host option may be used only to external location (to download that CRL)?

mrz · June 13, 2016, 1:20pm

CRL is a standard and there shouldn’t be any exceptions for windows. You specify ca-crl-host to location where CRL is located. If it is router then set router’s Ip address.

th0massin0 · June 13, 2016, 1:37pm

I’ve described it here: http://forum.mikrotik.com/t/self-signed-certificates-and-crl/98965/1