Community discussions

 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Tue Sep 03, 2019 3:52 pm

How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

router configuration
-------------------------------
Generate certificates on RouterOS

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=35.22.112.151
add name=client1-template common-name=91.13.2.14
add name=client2-template common-name=192.168.1.253
/certificate
sign ca-template ca-crl-host=35.22.112.151 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

print

to create a user

/ppp secret add name=rt3453453desg service=sstp password=345asg4tt local-address=35.22.112.151
remote-address=91.13.2.14

/ppp secret print detail


/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set authentication=mschap2


/interface sstp-server server print



/interface sstp-server monitor 0

/interface ethernet print
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 11:53 am

from local windows from 192.168.1.253 we can connect but from address from internet we cannot why?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5730
Joined: Mon Jun 08, 2015 12:09 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 12:28 pm

You need to allow access to TCP port 443 in the input chain for traffic from internet.
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 1:16 pm

we open tcp and udp 443 port in nat and also we make command
/ip firewall filter
add action=accept chain=input dst-port=443 protocol=tcp comment="Permit SSTP"

how do we solve the poblem?
how do we allow access in input chain?
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 2:23 pm

do we need to make

/ip firewall nat add chain=dstnat in-interface=ether1 dst-port=443 protocol=tcp action=dst-nat to-addresses=91.13.2.14
/ip firewall filter add chain=forward connection-state=established,related action=accept
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 2:45 pm

You only need yo allow traffic to port 443 (or the port you set on /interface sstp-server server) in the input chain. Do not add a nat rule for the port.

Second, make sure you have disabled the www-ssl service on "/ip service" (or change the port at /ip service) so the port does not conflict with the one you set for SSTP.

Third, you can post the output of the following commands for us to check if the firewall rules are in the right order:
/ip firewall export hide-sensitive
/ip service export hide-sensitive
/interface sstp-server server export hide-sensitive
Last edited by martinclaro on Thu Sep 05, 2019 3:18 pm, edited 1 time in total.
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 2:56 pm

[admin@MikroTik] > /ip firewall export hide-sensitive
# sep/05/2019 14:55:45 by RouterOS 6.45.1
# software id = SEYH-HLMS
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08FFCDCE
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.222 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3489 in-interface=ether1 \
protocol=tcp to-addresses=192.168.1.222 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3589 in-interface=ether1 \
protocol=tcp to-addresses=192.168.1.22 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=ether1 \
protocol=tcp to-addresses=192.168.1.168 to-ports=0-65535
add action=return chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp
add action=accept chain=dstnat dst-port=5060-5072 in-interface=ether1 \
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=5004-5024 in-interface=ether1 \
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=10000-20000 in-interface=ether1 \
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.1-192.168.1.245 to-ports=0-65535
add action=accept chain=dstnat dst-port=443 in-interface=ether1 protocol=udp
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 2:57 pm

[admin@MikroTik] > /ip services export hide-sensitive
bad command name services (line 1 column 5
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 2:58 pm

[admin@MikroTik] > /interface sstp-server server export hide-sensitive
# sep/05/2019 14:58:00 by RouterOS 6.45.1
# software id = SEYH-HLMS
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08FFCDCE
/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes
[admin@MikroTik] >
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 3:13 pm

Start by moving this rule:
add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp
before this other rule:
add action=drop   chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
That's why the router is dropping the connections from WAN side (order matters).
Last edited by martinclaro on Thu Sep 05, 2019 3:22 pm, edited 1 time in total.
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 3:15 pm

[admin@MikroTik] > /ip services export hide-sensitive
bad command name services (line 1 column 5
I'm sorry, the command is:
/ip service export hide-sensitive
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 3:20 pm

[admin@MikroTik] > /interface sstp-server server export hide-sensitive
# sep/05/2019 14:58:00 by RouterOS 6.45.1
# software id = SEYH-HLMS
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08FFCDCE
/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes
[admin@MikroTik] >
For better security, please add the following:
/interface sstp-server server set authentication=mschap2 force-aes=yes tls-version=only-1.2
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 4:26 pm

[admin@MikroTik] > /ip service export hide-sensitive
# sep/05/2019 16:26:29 by RouterOS 6.45.1
# software id = SEYH-HLMS
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08FFCDCE
[admin@MikroTik] >
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 4:44 pm

[admin@MikroTik] > /ip service export hide-sensitive
# sep/05/2019 16:26:29 by RouterOS 6.45.1
# software id = SEYH-HLMS
#
# model = RouterBOARD 941-2nD
# serial number = 8AFE08FFCDCE
[admin@MikroTik] >
Ok, so you will need to desable the www-ssl service or change its port:

To disable it:
/ip service set www-ssl port=443 disabled=yes
To keep it enabled and change its port
/ip service set www-ssl port=8443 disabled=no
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 4:51 pm

we made all changes
we recieved the following error when try connecting from internet to router

The certificate chain has been processed, but processing has been interrupted on the root certificate, which does not have a pre-trust relationship with the trust provider

how do i remove this error?
 
martinclaro
newbie
Posts: 30
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 5:25 pm

Well, that's because you are using a certificate created by yourself, not by a trusted entity. That's not a router issue.

Maybe you can deal with the new issue by adding the CA certificate to your windows host.

Also the common-name or the alt-name should match the hostname you are using to connect to the WAN side. As I've seen in your other topic, you created the certificate only for your LAN address.

More info: https://security.stackexchange.com/ques ... vpn-server
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Thu Sep 05, 2019 5:37 pm

client certificate with ip of host in internet is added in trusted root of windows 10 for ip and all values is according your intruction

windows 10 from local ip 192.168.1.253 connect to router using vpn sstp
but from windows 10 from internet ip 91.13.2.14 we recieved error
The certificate chain has been processed, but processing has been interrupted on the root certificate, which does not have a pre-trust relationship with the trust provider
and do not connect

we do not have alt-name in router.
Last edited by daveramsey on Fri Sep 06, 2019 10:54 am, edited 1 time in total.
 
daveramsey
just joined
Topic Author
Posts: 20
Joined: Thu Aug 01, 2019 1:53 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Fri Sep 06, 2019 10:48 am

do i need to add to trusted root only server certificate myCa in every computer connected to router from internet
and do not add certificate with ip of each client computer to trusted root ?
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

Sat Sep 07, 2019 1:44 am

Yes, if you have your own CA, client does need to have CA's certificate and trust it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 20 guests