Manual:Interface/SSTP: Difference between revisions
No edit summary |
|||
Line 262: | Line 262: | ||
</table> | </table> | ||
{{Note | Starting from v5.0beta2 server does not require certificate to operate.}} | {{Note | Starting from v5.0beta2 server does not require certificate to operate.}} | ||
Line 283: | Line 281: | ||
[admin@MikroTik] /interface sstp-server server> | [admin@MikroTik] /interface sstp-server server> | ||
</pre> | </pre> | ||
==Monitoring== | ==Monitoring== |
Revision as of 15:26, 27 April 2010
Applies to RouterOS: v5
Summary
Standards:
Secure Socket Tunneling Protocol (SSTP) is the way to transport PPP tunnel over SSL 3.0 channel. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
- TCP connection is established from client to server (by default on port 443);
- SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down.
- The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
- PPP negotiation over HTTPS. Client authenticates to the server and binds IP addresses to SSTP interface
- SSTP tunnel is now established and packet encapsulation can begin.
If both client and server are Mikrotik routers, then it is possible to establish SSTP tunnel without certificates and with any available authentication type.
Otherwise to establish secure tunnels mschap authentication and client/server certificates should be used
SSTP Client
Sub-menu: /interface sstp-client
Properties
Property | Description |
---|---|
add-default-route (yes | no; Default: no) | Whether to add SSTP remote address as a default route. |
authentication (mschap2 | mschap1 | chap | pap; Default: mschap2, mschap1, chap, pap) | Allowed authentication methods. |
certificate (string | none; Default: none) | |
comment (string; Default: ) | Descriptive name of an item |
connect-to (IP:Port; Default: 0.0.0.0:443) | Remote address and port of SSTP server. |
dial-on-demand (yes | no; Default: no) | |
disabled (yes | no; Default: yes) | Whether interface is disabled or not. By default it is disabled. |
keepalive-timeout (integer | disabled; Default: 60) | |
max-mru (integer; Default: 1500) | Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation. |
max-mtu (integer; Default: 1500) | Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation. |
mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >> |
name (string; Default: ) | Descriptive name of the interface. |
password (string; Default: "") | Password used for authentication. |
profile (name; Default: default-encryption) | Used PPP profile. |
proxy (IP:Port; Default: 0.0.0.0:443) | Address and port of HTTP proxy server. |
user (string; Default: ) | User name used for authentication. |
Quick example
This example demonstrates how to set up SSTP client with username "sstp-test", password "123" and server 10.1.101.1
[admin@MikroTik] /interface sstp-client>add user=sstp-test password=123 \ \... connect-to=10.1.101.1 disabled=no [admin@MikroTik] /interface sstp-client> print Flags: X - disabled, R - running 0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=10.1.101.1:443 user="sstp-test" password="123" proxy=0.0.0.0:443 profile=default certificate=none keepalive-timeout=60 add-default-route=no dial-on-demand=no authentication=pap,chap,mschap1,mschap2
SSTP Server
Sub-menu: /interface sstp-server
This sub-menu shows interfaces for each connected SSTP clients.
An interface is created for each tunnel established to the given server. There are two types of interfaces in PPTP server's configuration
- Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
- Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.
Note: in both cases PPP users must be configured properly - static entries do not replace PPP configuration.
Server configuration
Sub-menu: /interface sstp-server server
Properties:
Property | Description |
---|---|
authentication (pap | chap | mschap1 | mschap2; Default: pap,chap,mschap1,mschap2) | Authentication methods that server will accept. |
certificate (name; Default: none) | Name of the certificate that SSTP server will use. |
default-profile (name; Default: default) | |
enabled (yes | no; Default: no) | Defines whether SSTP server is enabled or not. |
keepalive-timeout (integer | disabled; Default: 60) | Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected |
max-mru (integer; Default: 1500) | Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation. |
max-mtu (integer; Default: 1500) | Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation. |
mrru (disabled | integer; Default: disabled) | Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >> |
require-client-certificate (yes | no; Default: no) | If set to yes, then server checks whether client's certificate belongs to the same certificate chain as server's certificate. |
Note: Starting from v5.0beta2 server does not require certificate to operate.
[admin@MikroTik] /interface sstp-server server> set certificate=server [admin@MikroTik] /interface sstp-server server> set enabled=yes [admin@MikroTik] /interface sstp-server server> print enabled: yes port: 443 max-mtu: 1500 max-mru: 1500 mrru: disabled keepalive-timeout: 60 default-profile: default certificate: server require-client-certificate: no authentication: pap,chap,mschap1,mschap2 [admin@MikroTik] /interface sstp-server server>
Monitoring
Monitor command can be used to monitor status of the tunnel on both client and server.
[admin@dzeltenais_burkaans] /interface sstp-server> monitor 0 status: "connected" uptime: 17m47s idle-time: 17m47s user: "sstp-test" caller-id: "10.1.101.18:43886" mtu: 1500
Read-only properties
Property | Description |
---|---|
status () | Current SSTP status. Value other than "connected" indicates that there are some problems estabising tunnel. |
uptime (time) | Elapsed time since tunnel was established. |
idle-time (time) | Elapsed time since last activity on the tunnel. |
user (string) | Username used to establish the tunnel. |
mtu (integer) | Negotiated and used MTU |
caller-id (IP:ID) |
Application Examples
Connecting Remote Client
The following example shows how to connect a computer to a remote office network over SSTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels)
Consider following setup
Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).
Before you begin to configure SSTP you need to create server certificate and import it to router instructions here.
First step is to create a user
[admin@RemoteOffice] /ppp secret> add name=Laptop service=sstp password=123 local-address=10.1.101.1 remote-address=10.1.101.100 [admin@RemoteOffice] /ppp secret> print detail Flags: X - disabled 0 name="Laptop" service=sstp caller-id="" password="123" profile=default local-address=10.1.101.1 remote-address=10.1.101.100 routes=="" [admin@RemoteOffice] /ppp secret>
Notice that SSTP local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).
Next step is to enable sstp server and sstp client on the laptop.
[admin@RemoteOffice] /interface sstp-server server> set certificate=server [admin@RemoteOffice] /interface sstp-server server> set enabled=yes [admin@RemoteOffice] /interface sstp-server server> print enabled: yes port: 443 max-mtu: 1500 max-mru: 1500 mrru: disabled keepalive-timeout: 60 default-profile: default certificate: server require-client-certificate: no authentication: pap,chap,mschap1,mschap2 [admin@RemoteOffice] /interface sstp-server server>
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a SSTP client with the software You are using.
Note: Currently SSTP is supported on Windows 2008, Windows Vista and Vista SP1. Other OS will not be able to connect to SSTP server
To verify if sstp client is connected
[admin@RemoteOffice] /interface sstp-server> print Flags: X - disabled, D - dynamic, R - running # NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING 0 DR <sstp-... Laptop 1500 10.1.101.18:43886 1h47s [admin@RemoteOffice] /interface sstp-server>monitor 0 status: "connected" uptime: 1h45s idle-time: 1h45s user: "Laptop" caller-id: "192.168.99.1:43886" mtu: 1500
At this point (when SSTP client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface
[admin@RemoteOffice] /interface ethernet> set ether2 arp=proxy-arp [admin@RemoteOffice] /interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R ether1 1500 00:30:4F:0B:7B:C1 enabled 1 R ether2 1500 00:30:4F:06:62:12 proxy-arp [admin@RemoteOffice] interface ethernet>
After proxy-arp is enabled client can successfully reach all workstations in local network behind the router.
Site-to-Site PPTP
The following is an example of connecting two Intranets using SSTP tunnel over the Internet.
Consider following setup
Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2. Both local networks are routed through pptp client, thus they are not in the same broadcast domain. If both networks should be in the same broadcast domain then you need to use BCP and bridge SSTP tunnel with local interface.
First step is to create a user
[admin@RemoteOffice] /ppp secret> add name=Home service=sstp password=123 local-address=172.16.1.1 remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1" [admin@RemoteOffice] ppp secret> print detail Flags: X - disabled 0 name="Home" service=sstp caller-id="" password="123" profile=default local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.101.0/24 172.16.1.1 1" [admin@RemoteOffice] /ppp secret>
Notice that we set up SSTP to add route whenever client connects. If this option is not set, then you will need static routing configuration on the server to route traffic between sites through SSTP tunnel.
Next step is to enable SSTP server on the office router and configure SSTP client on the Home router.
[admin@RemoteOffice] /interface sstp-server server> set certificate=server [admin@RemoteOffice] /interface sstp-server server> set enabled=yes [admin@RemoteOffice] /interface sstp-server server> print enabled: yes port: 443 max-mtu: 1500 max-mru: 1500 mrru: disabled keepalive-timeout: 60 default-profile: default certificate: server require-client-certificate: no authentication: pap,chap,mschap1,mschap2
[admin@Home] /interface sstp-client> add user=Home password=123 connect-to=192.168.80.1 disabled=no [admin@Home] /interface sstp-client> print Flags: X - disabled, R - running 0 R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=192.168.80.1:443 user="Home" password="123" proxy=0.0.0.0:443 profile=default certificate=none keepalive-timeout=60 add-default-route=no dial-on-demand=no authentication=pap,chap,mschap1,mschap2 [admin@Home] /interface sstp-client>
Now we need to add static route on Home router to reach local network behind Office router
[admin@Home] /ip route> add dst-address=10.1.101.0/24 gateway=172.16.1.1
After tunnel is established you should be able to ping remote network.
Read More
[ Top | Back to Content ]