VPN over SSTP setup

RouterOS Beginner Basics
1

Hey guys,

I am trying to set up a Client VPN over SSTP.

I had a try on an new Router where I managed to set it up fine. Now after that I wanted to implement it on my live setup.
Only problem is, I always get the error that the CN-Name does not match up with the connection.

I have every DNS name and the IP in both Certs.
I can resolve every DNS to the IP and the IP resolves into one of the DNS names. No matter how I try to set up the Certificates, I always get the CN-Name mismatch.

For reference, I set up the VPN following this guide.
I am sorry if it is a dumb question.

2

It isn’t a dumb question.

I ran in to this exact problem when use RouterOS created certificates for SSTP. The solution I found was to use the external IP address as the Common Name when creating the server certificate.

3

Thank you for your reply.
Sadly, I tried that allready, doesn’t work.
I tried it with just the IP address and I also tried it in combination with alternative DNS names and the Client still says CN-Name does not match up.

4

If you have access to a Linux computer, try running the following command to see what the server certificate details are:


openssl s_client -servername FQDN -connect FQDN:443 </dev/null 2>/dev/null | openssl x509 -text

Where FQDN is the DNS name you want to use for the SSTP server (Change the port from 443 if you changed it on the server).

If you have a Windows computer, use this PowerShell script I found on Sunny Chakraborty’s GitHub to get the information:

Save the script file with the name Get-RemoteSSLCertificate.ps1

[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]
    $ComputerName,

    [int]
    $Port = 443
)

$Certificate = $null
$TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
try {

    $TcpClient.Connect($ComputerName, $Port)
    $TcpStream = $TcpClient.GetStream()

    $Callback = { param($sender, $cert, $chain, $errors) return $true }

    $SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback)
    try {

        $SslStream.AuthenticateAsClient('')
        $Certificate = $SslStream.RemoteCertificate

    } finally {
        $SslStream.Dispose()
    }

} finally {
    $TcpClient.Dispose()
}

if ($Certificate) {
    if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
        $Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate
    }

    Write-Host -Verbose $Certificate
}

Run the command from PowerShell

\path\to\Get-RemoteSSLCertificate.ps1 FQDN

or

\path\to\Get-RemoteSSLCertificate.ps1 FQDN P#

Where P# is the port number if you changed it from 443.

Both of these commands will show you the primary CN listed in the certificate even if it doesn’t match the FQDN you specified. Then try using the reported CN when setting up the SSTP client.

I hope this helps.

5

This service does it for you, they have a free option for one device and one can see the setup they have, if nothing else its informative.
https://www.remotewinbox.com/auth/blog/Home

6

There is also the online Check website security tool from DigiCert that can give you the certificate information.

7

Thanks I found the problem, I totally forgot that there is also a microsoft owa on the same IP with its own CA.
It found the CA for the owa quicker than the Mikrotik one. That’s where the missmatch was.
Changing the SSTP Port helped so that both arn’t listening on port 443.

Thank you for your help, I probably would not have found it with the ideas you provided!