Community discussions

MikroTik App
 
R4wne
just joined
Topic Author
Posts: 3
Joined: Tue Sep 07, 2021 3:00 pm

VPN over SSTP setup

Wed Sep 08, 2021 9:40 am

Hey guys,

I am trying to set up a Client VPN over SSTP.

I had a try on an new Router where I managed to set it up fine. Now after that I wanted to implement it on my live setup.
Only problem is, I always get the error that the CN-Name does not match up with the connection.

I have every DNS name and the IP in both Certs.
I can resolve every DNS to the IP and the IP resolves into one of the DNS names. No matter how I try to set up the Certificates, I always get the CN-Name mismatch.

For reference, I set up the VPN following this guide.
I am sorry if it is a dumb question.
Last edited by R4wne on Tue Sep 14, 2021 1:59 pm, edited 1 time in total.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: VPN over SSTP setup

Thu Sep 09, 2021 2:27 pm

It isn't a dumb question.

I ran in to this exact problem when use RouterOS created certificates for SSTP. The solution I found was to use the external IP address as the Common Name when creating the server certificate.
 
R4wne
just joined
Topic Author
Posts: 3
Joined: Tue Sep 07, 2021 3:00 pm

Re: VPN over SSTP setup

Thu Sep 09, 2021 2:53 pm

It isn't a dumb question.

I ran in to this exact problem when use RouterOS created certificates for SSTP. The solution I found was to use the external IP address as the Common Name when creating the server certificate.
Thank you for your reply.
Sadly, I tried that allready, doesn't work.
I tried it with just the IP address and I also tried it in combination with alternative DNS names and the Client still says CN-Name does not match up.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: VPN over SSTP setup  [SOLVED]

Thu Sep 09, 2021 3:43 pm

If you have access to a Linux computer, try running the following command to see what the server certificate details are:

openssl s_client -servername FQDN -connect FQDN:443 </dev/null 2>/dev/null | openssl x509 -text

Where FQDN is the DNS name you want to use for the SSTP server (Change the port from 443 if you changed it on the server).

If you have a Windows computer, use this PowerShell script I found on Sunny Chakraborty's GitHub to get the information:

Save the script file with the name Get-RemoteSSLCertificate.ps1
[CmdletBinding()]
param (
    [Parameter(Mandatory=$true)]
    [string]
    $ComputerName,

    [int]
    $Port = 443
)

$Certificate = $null
$TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
try {

    $TcpClient.Connect($ComputerName, $Port)
    $TcpStream = $TcpClient.GetStream()

    $Callback = { param($sender, $cert, $chain, $errors) return $true }

    $SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback)
    try {

        $SslStream.AuthenticateAsClient('')
        $Certificate = $SslStream.RemoteCertificate

    } finally {
        $SslStream.Dispose()
    }

} finally {
    $TcpClient.Dispose()
}

if ($Certificate) {
    if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
        $Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate
    }

    Write-Host -Verbose $Certificate
}

Run the command from PowerShell
\path\to\Get-RemoteSSLCertificate.ps1 FQDN
or
\path\to\Get-RemoteSSLCertificate.ps1 FQDN P#

Where P# is the port number if you changed it from 443.

Both of these commands will show you the primary CN listed in the certificate even if it doesn't match the FQDN you specified. Then try using the reported CN when setting up the SSTP client.

I hope this helps.
Last edited by MickeyT on Thu Sep 09, 2021 4:01 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VPN over SSTP setup

Thu Sep 09, 2021 3:45 pm

This service does it for you, they have a free option for one device and one can see the setup they have, if nothing else its informative.
https://www.remotewinbox.com/auth/blog/Home
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: VPN over SSTP setup

Thu Sep 09, 2021 3:52 pm

There is also the online Check website security tool from DigiCert that can give you the certificate information.
 
R4wne
just joined
Topic Author
Posts: 3
Joined: Tue Sep 07, 2021 3:00 pm

Re: VPN over SSTP setup

Fri Sep 10, 2021 1:50 pm

There is also the online Check website security tool from DigiCert that can give you the certificate information.


Thanks I found the problem, I totally forgot that there is also a microsoft owa on the same IP with its own CA.
It found the CA for the owa quicker than the Mikrotik one. That's where the missmatch was.
Changing the SSTP Port helped so that both arn't listening on port 443.

Thank you for your help, I probably would not have found it with the ideas you provided!

Who is online

Users browsing this forum: Bing [Bot] and 52 guests