Difference between revisions of "Manual:Interface/SSTP"

From MikroTik Wiki
Jump to: navigation, search
m (add package)
(Hostname verification)
 
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Versions|v5}}
+
{{Versions|v5, v6+}}
  
<div class=manual>
 
  
 
==Summary==
 
==Summary==
  
<p><b>Standards:</b> <code></code><br />
+
<p id="shbox"><b>Standards:</b> <code>[http://msdn.microsoft.com/en-us/library/cc247338(PROT.10).aspx SSTP specification]</code><br />
<b>Package:</b> <code>ppp</code></p>
+
<b>Package:</b> <code>ppp</code>
<br />
 
<p>
 
Secure Socket Tunneling Protocol (SSTP) is the way to transport PPP tunnel over SSL 3.0 channel. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
 
 
</p>
 
</p>
<p>
+
 
 +
 
 +
Secure Socket Tunneling Protocol (SSTP) transports a PPP tunnel over a TLS channel. The use of TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
 +
 
 +
 
 
<b>SSTP connection mechanism</b>
 
<b>SSTP connection mechanism</b>
<br />
+
 
 
[[File:sstp-how-works.png]]
 
[[File:sstp-how-works.png]]
 
<ul class="bullets">
 
<ul class="bullets">
 
<li> TCP connection is established from client to server (by default on port 443);
 
<li> TCP connection is established from client to server (by default on port 443);
<li> SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down.
+
<li> SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down. (But see note below)
 
<li> The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
 
<li> The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
 
<li> PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
 
<li> PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
 
<li> SSTP tunnel is now established and packet encapsulation can begin.
 
<li> SSTP tunnel is now established and packet encapsulation can begin.
 
</ul>
 
</ul>
</p>
 
<p>
 
If both client and server are Mikrotik routers, then it is possible to establish SSTP tunnel without certificates and with any available authentication type. Otherwise to establish secure tunnels <b>mschap</b> authentication and client/server certificates from the same chain should be used. [[#Certificates | <code>Read more>></code>]]
 
</p>
 
  
{{Note | Starting from v5.0beta2 SSTP does not require certificates to operate. This feature will work only between two MikroTik routers, as it is not according to standards.}}
+
{{Note | Starting from v5.0beta2 SSTP does not require certificates to operate and can use any available authentication type. This feature will work only between two MikroTik routers, as it is not in accordance with Microsoft standard. Otherwise to establish secure tunnels <b>mschap</b> authentication and client/server certificates from the same chain should be used. [[#Certificates | <code>Read more>></code>]]}}
  
Currently, SSTP clients exist only in Windows Vista, Windows 7 and RouterOS.
+
Currently, SSTP clients exist in Windows Vista, Windows 7, Windows 8, Linux and RouterOS.
  
{{Note | While connecting to SSTP server, Windows does CRL (certificate revocation list) checking on server certificate which can introduce '''significant delay''' to complete connection or even prevent user from accessing sstp server at all if Windows is unable to access CRL distribution point! Custom generated CA which does not include CRLs can be used to minimize connection delays and certificate costs (signed certificates with known CA usually are not for free), but this custom CA must be imported into each Windows client individually. It is possible to disable CRL check in Windows registry, but it is supported only by Windows Server 2008 http://support.microsoft.com/kb/947054 }}
+
{{Note | While connecting to SSTP server, Windows does CRL (certificate revocation list) checking on server certificate which can introduce a '''significant delay''' to complete a connection or even prevent the user from accessing the SSTP server at all if Windows is unable to access CRL distribution point! Custom generated CA which does not include CRLs can be used to minimize connection delays and certificate costs (signed certificates with known CA usually are not for free), but this custom CA must be imported into each Windows client individually. It is possible to disable CRL check in Windows registry, but it is supported only by Windows Server 2008 and Windows 7 http://support.microsoft.com/kb/947054 }}
  
 
==Certificates==
 
==Certificates==
  
To set up secure SSTP tunnel, certificates are required. On the server authentication is done only by username and password, but on the client - server is authenticated using server certificate. It is also used by client to cryptographicly bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP connection to server, this value is derived from the key data that is generated during PPP authentication and server certificate, this allows server to check if both channels are secure.
+
{{ Note| Starting from RouterOS v6rc10 SSTP respects CRL}}
 +
 
 +
To set up a secure SSTP tunnel, certificates are required. On the server, authentication is done only by username and password, but on the client - the server is authenticated using a server certificate. It is also used by the client to cryptographically bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP connection to the server, this value is derived from the key data that is generated during PPP authentication and server certificate, this allows the server to check if both channels are secure.
 +
 
 +
If SSTP clients are Windows PCs then only way to set up a secure SSTP tunnel when using self-signed certificate is by importing the "server" certificate on SSTP server and on the Windows PC adding CA certificate in [http://technet.microsoft.com/en-us/library/dd458982.aspx trusted root].
 +
{{Note|If your server certificate is issued by a CA which is already known by Windows, then the Windows client will work without any additional certificates.}}
 +
 
 +
{{Warning | RSA Key length must be at least 472 bits if certificate is used by [[M:Interface/SSTP | SSTP]]. Shorter keys are considered as security threats.}}
  
If sstp clients are Windows PCs then only way to set up secure SSTP tunnel when using self-signed certificate is by importing "server" certificate on SSTP server and on windows PC add CA certificate in trusted root. If your server certificate is issued by CA which is known by Windows, then Windows client will work witout any additional certificates.
+
Similar configuration on RouterOS client would be to import the CA certificate and enabling '''verify-server-certificate''' option. In this scenario Man-in-the-Middle attacks are not possible.
Similar configuration on RouterOS client would be, importing CA certificate and enabling '''verify-server-certificate''' option. In this scenario Man-in-the-Middle attacks are not possible.
 
  
Between two Mikrotik routers it is also possible to set up unsecured tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. This scenario is not compatible with Windows clients.
+
Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. '''This scenario is not compatible with Windows clients'''.
  
It is also possible to make secure SSTP tunnel by adding additional authorization with client certificate.  
+
It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate.  
 
Configuration requirements are:
 
Configuration requirements are:
 
* certificates on both server and client  
 
* certificates on both server and client  
Line 52: Line 54:
 
When ssl handshake fails, you will see one of the following certificate errors:
 
When ssl handshake fails, you will see one of the following certificate errors:
 
<ul class="bullets">
 
<ul class="bullets">
<li> <b>certificate is not yet valid</b>  -  <i>notBefore</i> date is after the current time.
+
<li> <b>certificate is not yet valid</b>  -  <i>notBefore</i> certificate date is after the current time.
<li> <b>certificate has expired</b> - <i>notAfter</i> date is before the current time.
+
<li> <b>certificate has expired</b> - <i>notAfter</i> certificate expiry date is before the current time.
 
<li> <b>invalid certificate purpose</b>  - the supplied certificate cannot be used for the specified purpose.
 
<li> <b>invalid certificate purpose</b>  - the supplied certificate cannot be used for the specified purpose.
 
<li> <b>self signed certificate in chain</b>  - the certificate chain could be built up using the untrusted certificates but the root could not be found locally.
 
<li> <b>self signed certificate in chain</b>  - the certificate chain could be built up using the untrusted certificates but the root could not be found locally.
 
<li> <b>unable to get issuer certificate locally</b> - CA certificate is not imported locally.
 
<li> <b>unable to get issuer certificate locally</b> - CA certificate is not imported locally.
 +
<li> <b>server's IP address does not match certificate</b> - server address verification is enabled, but address provided in certificate does not match server's address.
 
</ul>
 
</ul>
  
 +
===Hostname verification===
 +
 +
Server certificate verification is enabled on SSTP client, additionally if IP addresses or DNS name found in certificate's '''subjectAltName''' or '''common-name''' then '''issuer CN''' will be compared to the real servers address.
 +
v5.7 adds new parameter <var>verify-server-address-from-certificate</var> to disable/enable hostname verification.
  
 
==SSTP Client==
 
==SSTP Client==
Line 72: Line 79:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=add-default-route
 
|arg=add-default-route
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=no
 
|default=no
 
|desc=Whether to add SSTP remote address as a default route.
 
|desc=Whether to add SSTP remote address as a default route.
Line 80: Line 87:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=authentication
 
|arg=authentication
|type=<nowiki>mschap2 | mschap1 | chap | pap</nowiki>
+
|type=mschap2 {{!}} mschap1 {{!}} chap {{!}} pap
 
|default=mschap2, mschap1, chap, pap
 
|default=mschap2, mschap1, chap, pap
 
|desc=Allowed authentication methods.
 
|desc=Allowed authentication methods.
Line 87: Line 94:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=certificate
 
|arg=certificate
|type=<nowiki>string | none</nowiki>
+
|type=string {{!}} none
 
|default=none
 
|default=none
 
|desc=
 
|desc=
Line 104: Line 111:
 
|default=0.0.0.0:443
 
|default=0.0.0.0:443
 
|desc=Remote address and port of SSTP server.
 
|desc=Remote address and port of SSTP server.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=default-route-distance
 +
|type=byte [0..255]
 +
|default=1
 +
|desc=sets distance value applied to auto created default route, if <var>add-default-route</var> is also selected
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=dial-on-demand
 
|arg=dial-on-demand
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=no
 
|default=no
|desc=
+
|desc=connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established.
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=disabled
 
|arg=disabled
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=yes
 
|default=yes
 
|desc=Whether interface is disabled or not. By default it is disabled.
 
|desc=Whether interface is disabled or not. By default it is disabled.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=http-proxy
 +
|type=IP:Port
 +
|default=0.0.0.0:443
 +
|desc=Address and port of HTTP proxy server.
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=keepalive-timeout
 
|arg=keepalive-timeout
|type=<nowiki>integer | disabled</nowiki>
+
|type=integer {{!}} disabled
 
|default=60
 
|default=60
|desc=
+
|desc=Sets keepalive timeout in seconds.
 
}}
 
}}
  
Line 143: Line 164:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=mrru
 
|arg=mrru
|type=<nowiki>disabled | integer</nowiki>
+
|type=disabled {{!}} integer
 
|default=disabled
 
|default=disabled
 
|desc=Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. [[Manual:MLPPP_over_single_and_multiple_links | <code>Read more >></code>]]
 
|desc=Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. [[Manual:MLPPP_over_single_and_multiple_links | <code>Read more >></code>]]
Line 160: Line 181:
 
|default=""
 
|default=""
 
|desc=Password used for authentication.
 
|desc=Password used for authentication.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=pfs
 +
|type=yes {{!}} no
 +
|default=no
 +
|desc=Enables "Perfect Forward Secrecy" which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work.
 
}}
 
}}
  
Line 167: Line 195:
 
|default=default-encryption
 
|default=default-encryption
 
|desc=Used [[Manual:PPP_AAA#User_Profiles | PPP profile]].
 
|desc=Used [[Manual:PPP_AAA#User_Profiles | PPP profile]].
}}
 
 
{{Mr-arg-table
 
|arg=proxy
 
|type=IP:Port
 
|default=0.0.0.0:443
 
|desc=Address and port of HTTP proxy server.
 
 
}}
 
}}
  
Line 183: Line 204:
 
}}
 
}}
  
{{Mr-arg-table-end
+
{{Mr-arg-table
 +
|arg=tls-version
 +
|type=any {{!}} only-1.2
 +
|default=any
 +
|desc=Specifies which TLS versions to allow
 +
}}
 +
 
 +
{{Mr-arg-table
 
|arg=verify-server-certificate
 
|arg=verify-server-certificate
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=no
 
|default=no
 
|desc=If set to yes, then client checks whether certificate belongs to the same certificate chain as server's certificate. To make it work CA certificate must be imported.
 
|desc=If set to yes, then client checks whether certificate belongs to the same certificate chain as server's certificate. To make it work CA certificate must be imported.
 +
}}
 +
 +
{{Mr-arg-table-end
 +
|arg=verify-server-address-from-certificate
 +
|type=yes {{!}} no
 +
|default=yes
 +
|desc=If set to yes, server's IP address will be compared to one set in certificate.  [[#Hostname verification| <code>Read More >></code>]]
 
}}
 
}}
  
Line 196: Line 231:
  
 
<pre>
 
<pre>
[admin@MikroTik]  /interface sstp-client>add user=sstp-test password=123 \
+
/interface sstp-client add user=sstp-test password=123 connect-to=10.1.101.1 disabled=no
\... connect-to=10.1.101.1 disabled=no
+
</pre>
[admin@MikroTik] /interface sstp-client> print
+
 
 +
<pre>
 +
/interface sstp-client print
 
Flags: X - disabled, R - running
 
Flags: X - disabled, R - running
 
  0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=10.1.101.1:443  
 
  0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=10.1.101.1:443  
       user="sstp-test" password="123" proxy=0.0.0.0:443 profile=default
+
       http-proxy=0.0.0.0:443 certificate=none verify-server-certificate=no
       certificate=none keepalive-timeout=60 add-default-route=no dial-on-demand=no  
+
       verify-server-address-from-certificate=yes user="sstp-test" password="123"
       authentication=pap,chap,mschap1,mschap2
+
      profile=default keepalive-timeout=60 add-default-route=no dial-on-demand=no
 
+
       authentication=pap,chap,mschap1,mschap2  
 
</pre>
 
</pre>
  
Line 211: Line 248:
  
 
<p>
 
<p>
This sub-menu shows interfaces for each connected SSTP clients.  
+
This sub-menu shows interfaces for each connected SSTP client.  
 
</p>
 
</p>
 
<p>
 
<p>
An interface is created for each tunnel established to the given server. There are two types of interfaces in PPTP server's configuration  
+
An interface is created for each tunnel established to the given server. There are two types of interfaces in SSTP server's configuration  
 
<ul class="bullets">
 
<ul class="bullets">
 
<li> Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.  
 
<li> Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.  
Line 236: Line 273:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=authentication
 
|arg=authentication
|type=<nowiki>pap | chap | mschap1 | mschap2</nowiki>
+
|type=pap {{!}} chap {{!}} mschap1 {{!}} mschap2
 
|default=pap,chap,mschap1,mschap2
 
|default=pap,chap,mschap1,mschap2
 
|desc=Authentication methods that server will accept.
 
|desc=Authentication methods that server will accept.
Line 243: Line 280:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=certificate
 
|arg=certificate
|type=name | none
+
|type=name {{!}} none
 
|default=none
 
|default=none
 
|desc=Name of the certificate that SSTP server will use.
 
|desc=Name of the certificate that SSTP server will use.
Line 258: Line 295:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=enabled
 
|arg=enabled
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=no
 
|default=no
 
|desc= Defines whether SSTP server is enabled or not.
 
|desc= Defines whether SSTP server is enabled or not.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=force-aes
 +
|type=yes {{!}} no
 +
|default=no
 +
|desc= Force AES encryption (AES256 is supported). If enabled windows clients (supports only RC4) will be unable to connect.
 
}}
 
}}
  
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=keepalive-timeout
 
|arg=keepalive-timeout
|type=<nowiki>integer | disabled</nowiki>
+
|type=integer {{!}} disabled
 
|default=60
 
|default=60
|desc=Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
+
|desc=If server during keepalive period does not receive any packet, it will send keepalive packets every second five times. If the server does not receives response from the client, then disconnect after 5 seconds.
 +
Logs will show 5x "LCP missed echo reply" messages and then disconnect.
 +
 
 
}}
 
}}
  
Line 286: Line 332:
 
{{Mr-arg-table
 
{{Mr-arg-table
 
|arg=mrru
 
|arg=mrru
|type=<nowiki>disabled | integer</nowiki>
+
|type=disabled {{!}} integer
 
|default=disabled
 
|default=disabled
 
|desc= Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. [[Manual:MLPPP_over_single_and_multiple_links | <code>Read more >></code>]]
 
|desc= Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. [[Manual:MLPPP_over_single_and_multiple_links | <code>Read more >></code>]]
 
}}
 
}}
 +
 +
{{Mr-arg-table
 +
|arg=pfs
 +
|type=yes {{!}} no
 +
|default=no
 +
|desc=Enables "Perfect Forward Secrecy" which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=port
 +
|type=integer
 +
|default=443
 +
|desc=Port for SSTP service to listen on.
 +
}}
 +
 +
{{Mr-arg-table
 +
|arg=tls-version
 +
|type=any {{!}} only-1.2
 +
|default=any
 +
|desc=Specifies which TLS versions to allow
 +
}}
 +
  
 
{{Mr-arg-table-end
 
{{Mr-arg-table-end
 
|arg=verify-client-certificate
 
|arg=verify-client-certificate
|type=<nowiki>yes | no</nowiki>
+
|type=yes {{!}} no
 
|default=no
 
|default=no
 
|desc=If set to yes, then server checks whether client's certificate belongs to the same certificate chain.
 
|desc=If set to yes, then server checks whether client's certificate belongs to the same certificate chain.
Line 301: Line 369:
  
 
<pre>
 
<pre>
[admin@MikroTik] /interface sstp-server server> set certificate=server
+
/interface sstp-server server set certificate=server
[admin@MikroTik] /interface sstp-server server> set enabled=yes
+
/interface sstp-server server set enabled=yes
[admin@MikroTik] /interface sstp-server server> print  
+
</pre>
                    enabled: yes
+
 
                        port: 443
+
<pre>
                    max-mtu: 1500
+
/interface sstp-server server print  
                    max-mru: 1500
+
                    enabled: no
                        mrru: disabled
+
                      port: 443
          keepalive-timeout: 60
+
                    max-mtu: 1500
            default-profile: default
+
                    max-mru: 1500
                certificate: server
+
                      mrru: disabled
 +
          keepalive-timeout: 60
 +
            default-profile: default
 +
            authentication: pap,chap,mschap1,mschap2
 +
                certificate: none
 
   verify-client-certificate: no
 
   verify-client-certificate: no
              authentication: pap,chap,mschap1,mschap2
+
                  force-aes: no
[admin@MikroTik] /interface sstp-server server>
 
 
</pre>
 
</pre>
  
 
{{Warning |  
 
{{Warning |  
It is very important that date on the router is in the range of certificate's date of expiration .  To overcome any certificate verification problems, enable <b>NTP</b> date synchronization on both server and client.}}
+
It is very important that the date on the router is within the range of the certificate's date of expiration.  To overcome any certificate verification problems, enable <b>NTP</b> date synchronization on both server and client.}}
  
 
==Monitoring==
 
==Monitoring==
 
Monitor command can be used to monitor status of the tunnel on both client and server.
 
Monitor command can be used to monitor status of the tunnel on both client and server.
 
<pre>
 
<pre>
[admin@dzeltenais_burkaans] /interface sstp-server> monitor 0
+
/interface sstp-server monitor 0
 
     status: "connected"
 
     status: "connected"
 
     uptime: 17m47s
 
     uptime: 17m47s
Line 330: Line 401:
 
   caller-id: "10.1.101.18:43886"
 
   caller-id: "10.1.101.18:43886"
 
         mtu: 1500
 
         mtu: 1500
 
 
</pre>
 
</pre>
  
Line 378: Line 448:
  
 
===Connecting Remote Client===
 
===Connecting Remote Client===
<p>The following example shows how to connect a computer to a remote office network over '''secure SSTP encrypted''' tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels)
+
The following example shows how to connect a computer to a remote office network over '''secure SSTP encrypted''' tunnel giving that computer an IP address from the same network as the remote office has (without the need for bridging over EoIP tunnels)
</p>
+
 
<p>
+
 
Consider following setup
+
Consider following setup:
</p>
+
 
 
[[File:sstp-rem-office.png]]
 
[[File:sstp-rem-office.png]]
<p>
+
 
 
Office router is connected to internet through <b>ether1</b>. Workstations are connected to <b>ether2</b>.
 
Office router is connected to internet through <b>ether1</b>. Workstations are connected to <b>ether2</b>.
 
Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).
 
Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).
</p>
 
  
Before you begin to configure SSTP you need to create server certificate and import it to router [[Manual:Create_Certificates | instructions here]].
 
  
Now it is time to create a user
+
Before you begin to configure SSTP you need to create a server certificate and import it into the router [[Manual:Create_Certificates | (instructions here)]].
 +
 
 +
Now it is time to create a user:
 +
<pre>
 +
/ppp secret add name=Laptop service=sstp password=123 local-address=10.1.101.1 \
 +
    remote-address=10.1.101.100
 +
</pre>
 
<pre>
 
<pre>
[admin@RemoteOffice] /ppp secret> add name=Laptop service=sstp password=123
+
/ppp secret print detail
local-address=10.1.101.1 remote-address=10.1.101.100
 
[admin@RemoteOffice] /ppp secret> print detail
 
 
Flags: X - disabled
 
Flags: X - disabled
 
   0  name="Laptop" service=sstp caller-id="" password="123" profile=default
 
   0  name="Laptop" service=sstp caller-id="" password="123" profile=default
 
       local-address=10.1.101.1 remote-address=10.1.101.100 routes==""
 
       local-address=10.1.101.1 remote-address=10.1.101.100 routes==""
 +
</pre>
 +
 +
Notice that SSTP local address is the same as the router's address on the local interface and the remote address is from the same range as the local network (10.1.101.0/24).
  
[admin@RemoteOffice] /ppp secret>
+
Next step is to enable SSTP server and SSTP client on the laptop:
 +
<pre>
 +
/interface sstp-server server set certificate=server
 +
/interface sstp-server server set enabled=yes
 +
/interface sstp-server server set authentication=mschap2
 
</pre>
 
</pre>
<p>
+
 
Notice that SSTP local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).
 
</p>
 
<p>Next step is to enable sstp server and sstp client on the laptop.</p>
 
 
<pre>
 
<pre>
[admin@RemoteOffice] /interface sstp-server server> set certificate=server
+
/interface sstp-server server print
[admin@RemoteOffice] /interface sstp-server server> set enabled=yes
 
[admin@RemoteOffice] /interface sstp-server server> set authentication=mschap2
 
[admin@RemoteOffice] /interface sstp-server server> print
 
 
                     enabled: yes
 
                     enabled: yes
 
                         port: 443
 
                         port: 443
Line 421: Line 494:
 
   verify-client-certificate: no
 
   verify-client-certificate: no
 
               authentication: mschap2
 
               authentication: mschap2
 +
</pre>
 +
 +
Notice that authentication is set to <b>mschap</b>. These are the only authentication options that are valid to establish a secure tunnel.
 +
 +
 +
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
 +
 +
Please, consult the respective manual on how to set up a SSTP client with the software you are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to [http://technet.microsoft.com/en-us/library/dd458982.aspx trusted root].
  
[admin@RemoteOffice] /interface sstp-server server>
+
{{Note | Currently, SSTP is only fully supported on recent Windows OS releases such as Vista SP1, Windows 7, Windows 8, Windows 2008 etc. With other OS's such as Linux, results cannot be guaranteed. }}
</pre>
 
<p>
 
Notice that authentication is set to <b>mschap</b>. These are the only authentication options that are valid to establish secure tunnel.
 
</p>
 
<p>
 
SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1. <br />
 
Please, consult the respective manual on how to set up a SSTP client with the software You are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root.
 
</p>
 
{{Note | Currently SSTP is supported on Windows 2008, Windows Vista and Vista SP1. Other OS will not be able to connect to SSTP server }}
 
  
  
To verify if sstp client is connected
+
To verify if SSTP client is connected
 
<pre>
 
<pre>
[admin@RemoteOffice] /interface sstp-server> print  
+
/interface sstp-server print  
 
Flags: X - disabled, D - dynamic, R - running  
 
Flags: X - disabled, D - dynamic, R - running  
 
  #    NAME      USER        MTU        CLIENT-ADDRESS    UPTIME  ENCODING   
 
  #    NAME      USER        MTU        CLIENT-ADDRESS    UPTIME  ENCODING   
 
  0  DR <sstp-... Laptop    1500      10.1.101.18:43886 1h47s   
 
  0  DR <sstp-... Laptop    1500      10.1.101.18:43886 1h47s   
 
+
</pre>
[admin@RemoteOffice] /interface sstp-server>monitor 0
+
<pre>
 +
/interface sstp-server monitor 0
 
     status: "connected"
 
     status: "connected"
 
     uptime: 1h45s
 
     uptime: 1h45s
Line 448: Line 521:
 
   caller-id: "192.168.99.1:43886"
 
   caller-id: "192.168.99.1:43886"
 
         mtu: 1500
 
         mtu: 1500
 
 
</pre>
 
</pre>
  
 
<p>
 
<p>
At this point (when SSTP client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up <var>proxy-arp</var> on local interface
+
At this point (when SSTP client is successfully connected) if you try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up <var>proxy-arp</var> on local interface
 
</p>
 
</p>
 
<pre>
 
<pre>
[admin@RemoteOffice] /interface ethernet> set ether2 arp=proxy-arp
+
/interface ethernet set ether2 arp=proxy-arp
[admin@RemoteOffice] /interface ethernet> print
+
</pre>
 +
<pre>
 +
/interface ethernet print
 
Flags: X - disabled, R - running
 
Flags: X - disabled, R - running
 
   #    NAME                MTU  MAC-ADDRESS        ARP
 
   #    NAME                MTU  MAC-ADDRESS        ARP
 
   0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
 
   0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
 
   1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
 
   1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>
 
 
</pre>
 
</pre>
 
<p>
 
<p>
After <var>proxy-arp</var> is enabled client can successfully reach all workstations in local network behind the router.
+
After <var>proxy-arp</var> is enabled client can successfully reach all workstations in the local network behind the router.
 
</p>
 
</p>
  
Line 470: Line 543:
 
<p>The following is an example of connecting two Intranets using SSTP tunnel over the Internet.</p>
 
<p>The following is an example of connecting two Intranets using SSTP tunnel over the Internet.</p>
 
<p>
 
<p>
Consider following setup
+
Consider following setup:
 
</p>
 
</p>
 
[[File:site-to-site-sstp-example.png]]
 
[[File:site-to-site-sstp-example.png]]
 
<p>
 
<p>
 
Office and Home routers are connected to internet through <b>ether1</b>, workstations and laptops are connected to <b>ether2</b>.
 
Office and Home routers are connected to internet through <b>ether1</b>, workstations and laptops are connected to <b>ether2</b>.
In this example both local networks are routed through sstp client, thus they are not in the same broadcast domain. To overcome this problem as any other ppp tunnel SSTP also supports [[#Read More | BCP]] which allows to bridge SSTP tunnel with local interface.
+
In this example both local networks are routed through SSTP client, thus they are not in the same broadcast domain. To overcome this problem as with any other ppp tunnel, SSTP also supports [[#Read More | BCP]] which allows it to bridge SSTP tunnel with a local interface.
 
</p>
 
</p>
First step is to create a user
+
First step is to create a user:
 
<pre>
 
<pre>
[admin@RemoteOffice] /ppp secret> add name=Home service=sstp password=123
+
/ppp secret add name=Home service=sstp password=123 local-address=172.16.1.1 \
local-address=172.16.1.1 remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
+
  remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
[admin@RemoteOffice] ppp secret> print detail
+
</pre>
 +
<pre>
 +
/ppp secret print detail
 
Flags: X - disabled
 
Flags: X - disabled
 
   0  name="Home" service=sstp caller-id="" password="123" profile=default
 
   0  name="Home" service=sstp caller-id="" password="123" profile=default
       local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.101.0/24 172.16.1.1 1"
+
       local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.202.0/24 172.16.1.2 1"
 
 
[admin@RemoteOffice] /ppp secret>
 
 
</pre>
 
</pre>
 
<p>
 
<p>
Notice that we set up SSTP to add route whenever client connects. If this option is not set, then you will need static routing configuration on the server to route traffic between sites through SSTP tunnel.
+
Notice that we set up SSTP to add a route whenever the client connects. If this option is not set, then you will need a static routing configuration on the server to route traffic between sites through the SSTP tunnel.
 
</p>
 
</p>
  
Now we need to upload and import CA and server/client certificates. Assume that files are already uploaded use following commands:
+
Now we need to upload and import CA and server/client certificates. Assuming that the files are already uploaded use following commands:
 
<pre>
 
<pre>
admin@RemoteOffice] /certificate> import file-name=ca.crt
+
/certificate import file-name=ca.crt
 
passphrase:  
 
passphrase:  
admin@RemoteOffice] /certificate> import file-name=server.crt
+
/certificate import file-name=server.crt
 
passphrase: ****
 
passphrase: ****
admin@RemoteOffice] /certificate> import file-name=server.key
+
/certificate import file-name=server.key
 
passphrase: ****
 
passphrase: ****
 
</pre>
 
</pre>
Set up proper names:
+
Edit names to something more meaningful:
 +
<pre>
 +
/certificate set 0 name=CA
 +
/certificate set 1 name=server
 +
</pre>
 
<pre>
 
<pre>
admin@RemoteOffice] /certificate>set 0 name=CA
+
/certificate print  
admin@RemoteOffice] /certificate>set 1 name=server
 
admin@RemoteOffice] /certificate> print  
 
 
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa  
 
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa  
  0  D name="CA" subject=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=marisb@mt.lv  
+
  0  D name="CA" subject=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv  
       issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=marisb@mt.lv  
+
       issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv  
       serial-number="DF626FA846090BCC" email=marisb@mt.lv invalid-before=jun/25/2008 07:23:50  
+
       serial-number="DF626FA846090BCC" email=xx@mt.lv invalid-before=jun/25/2008 07:23:50  
 
       invalid-after=jun/23/2018 07:23:50 ca=yes  
 
       invalid-after=jun/23/2018 07:23:50 ca=yes  
  
  1 KR name="server" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=marisb@mt.lv  
+
  1 KR name="server" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=xx@mt.lv  
       issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=marisb@mt.lv serial-number="01"  
+
       issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv serial-number="01"  
       email=marisb@mt.lv invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33  
+
       email=xx@mt.lv invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33  
 
       ca=yes  
 
       ca=yes  
 
</pre>
 
</pre>
Line 520: Line 595:
  
  
Next step is to enable SSTP server on the office router and configure SSTP client on the Home router.
+
Next step is to enable SSTP server on the office router:
 +
<pre>
 +
/interface sstp-server server set certificate=server
 +
/interface sstp-server server set enabled=yes
 +
/interface sstp-server server set verify-client-certificate=yes
 +
</pre>
 
<pre>
 
<pre>
[admin@RemoteOffice] /interface sstp-server server> set certificate=server
+
/interface sstp-server server print
[admin@RemoteOffice] /interface sstp-server server> set enabled=yes
 
[admin@RemoteOffice] /interface sstp-server server> set verify-client-certificate=yes
 
[admin@RemoteOffice] /interface sstp-server server> print
 
 
                     enabled: yes
 
                     enabled: yes
 
                         port: 443
 
                         port: 443
Line 536: Line 613:
 
   verify-client-certificate: yes
 
   verify-client-certificate: yes
 
               authentication: pap,chap,mschap1,mschap2
 
               authentication: pap,chap,mschap1,mschap2
 
 
</pre>
 
</pre>
  
 +
Now configure SSTP client on the Home router:
 
<pre>
 
<pre>
[admin@Home] /interface sstp-client> add user=Home password=123 connect-to=192.168.80.1 disabled=no
+
/interface sstp-client add user=Home password=123 connect-to=192.168.80.1 disabled=no \
 
   certificate=client verify-server-certificate=yes
 
   certificate=client verify-server-certificate=yes
[admin@Home] /interface sstp-client> print
+
</pre>
 +
<pre>
 +
/interface sstp-client print
 
Flags: X - disabled, R - running
 
Flags: X - disabled, R - running
 
  0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=192.168.80.1:443  
 
  0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=192.168.80.1:443  
Line 548: Line 627:
 
       keepalive-timeout=60 add-default-route=no dial-on-demand=no  
 
       keepalive-timeout=60 add-default-route=no dial-on-demand=no  
 
       authentication=pap,chap,mschap1,mschap2 verify-server-certificate=yes
 
       authentication=pap,chap,mschap1,mschap2 verify-server-certificate=yes
 
[admin@Home] /interface sstp-client>
 
 
</pre>
 
</pre>
  
Now we need to add static route on Home router to reach local network behind Office router
+
Now we need to add static route on Home router to reach local network behind Office router:
 
<pre>
 
<pre>
[admin@Home] /ip route> add dst-address=10.1.101.0/24 gateway=172.16.1.1
+
/ip route add dst-address=10.1.101.0/24 gateway=sstp-out1
 
</pre>
 
</pre>
  
 
After tunnel is established you should be able to ping remote network.
 
After tunnel is established you should be able to ping remote network.
 +
 +
==Troubleshooting==
 +
 +
; After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?
 +
: MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13  RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
 +
 +
;I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle.
 +
: Disable '''verify-client-certificate''' option on the server.
 +
 +
;I get following error "Encryption negotiation rejected”.
 +
: Disable '''use-encryption''' option in [[M:PPP_AAA#User_Profiles | ppp profile]].
  
 
==Read More==
 
==Read More==
Line 563: Line 651:
 
<li>[[Manual:Create_Certificates | Creating Certificates]]</li>
 
<li>[[Manual:Create_Certificates | Creating Certificates]]</li>
 
<li>[[Manual:BCP_bridging_(PPP_tunnel_bridging) | BCP (Bridge Control Protocol)]]</li>
 
<li>[[Manual:BCP_bridging_(PPP_tunnel_bridging) | BCP (Bridge Control Protocol)]]</li>
<li>http://technet.microsoft.com/en-us/library/cc731352(WS.10).aspx</li>
+
<li>[http://technet.microsoft.com/en-us/library/cc731352(WS.10).aspx Microsoft SSTP Remote Access Step-by-Step Guide]</li>
<li>Free [http://www.startssl.com/ trusted Class1 certificates] online</li>
+
<li>Free [http://www.startssl.com/ trusted Class1 certificates] from startssl.com</li>
 +
<li>Free [http://sstp-client.sourceforge.net/ Linux SSTP Client]</li>
 
</ul>
 
</ul>
  

Latest revision as of 14:44, 20 August 2019

Version.png

Applies to RouterOS: v5, v6+


Summary

Standards: SSTP specification
Package: ppp


Secure Socket Tunneling Protocol (SSTP) transports a PPP tunnel over a TLS channel. The use of TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.


SSTP connection mechanism

Sstp-how-works.png

  • TCP connection is established from client to server (by default on port 443);
  • SSL validates server certificate. If certificate is valid connection is established otherwise connection is torn down. (But see note below)
  • The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
  • PPP negotiation over SSTP. Client authenticates to the server and binds IP addresses to SSTP interface
  • SSTP tunnel is now established and packet encapsulation can begin.
Icon-note.png

Note: Starting from v5.0beta2 SSTP does not require certificates to operate and can use any available authentication type. This feature will work only between two MikroTik routers, as it is not in accordance with Microsoft standard. Otherwise to establish secure tunnels mschap authentication and client/server certificates from the same chain should be used. Read more>>


Currently, SSTP clients exist in Windows Vista, Windows 7, Windows 8, Linux and RouterOS.

Icon-note.png

Note: While connecting to SSTP server, Windows does CRL (certificate revocation list) checking on server certificate which can introduce a significant delay to complete a connection or even prevent the user from accessing the SSTP server at all if Windows is unable to access CRL distribution point! Custom generated CA which does not include CRLs can be used to minimize connection delays and certificate costs (signed certificates with known CA usually are not for free), but this custom CA must be imported into each Windows client individually. It is possible to disable CRL check in Windows registry, but it is supported only by Windows Server 2008 and Windows 7 http://support.microsoft.com/kb/947054


Certificates

Icon-note.png

Note: Starting from RouterOS v6rc10 SSTP respects CRL


To set up a secure SSTP tunnel, certificates are required. On the server, authentication is done only by username and password, but on the client - the server is authenticated using a server certificate. It is also used by the client to cryptographically bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP connection to the server, this value is derived from the key data that is generated during PPP authentication and server certificate, this allows the server to check if both channels are secure.

If SSTP clients are Windows PCs then only way to set up a secure SSTP tunnel when using self-signed certificate is by importing the "server" certificate on SSTP server and on the Windows PC adding CA certificate in trusted root.

Icon-note.png

Note: If your server certificate is issued by a CA which is already known by Windows, then the Windows client will work without any additional certificates.


Icon-warn.png

Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.


Similar configuration on RouterOS client would be to import the CA certificate and enabling verify-server-certificate option. In this scenario Man-in-the-Middle attacks are not possible.

Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. This scenario is not compatible with Windows clients.

It is also possible to make a secure SSTP tunnel by adding additional authorization with a client certificate. Configuration requirements are:

  • certificates on both server and client
  • verification options enabled on server and client

This scenario is also not possible with Windows clients, because there is no way to set up client certificate on Windows.

Certificate error messages

When ssl handshake fails, you will see one of the following certificate errors:

  • certificate is not yet valid - notBefore certificate date is after the current time.
  • certificate has expired - notAfter certificate expiry date is before the current time.
  • invalid certificate purpose - the supplied certificate cannot be used for the specified purpose.
  • self signed certificate in chain - the certificate chain could be built up using the untrusted certificates but the root could not be found locally.
  • unable to get issuer certificate locally - CA certificate is not imported locally.
  • server's IP address does not match certificate - server address verification is enabled, but address provided in certificate does not match server's address.

Hostname verification

Server certificate verification is enabled on SSTP client, additionally if IP addresses or DNS name found in certificate's subjectAltName or common-name then issuer CN will be compared to the real servers address. v5.7 adds new parameter verify-server-address-from-certificate to disable/enable hostname verification.

SSTP Client

Sub-menu: /interface sstp-client

Properties

Property Description
add-default-route (yes | no; Default: no) Whether to add SSTP remote address as a default route.
authentication (mschap2 | mschap1 | chap | pap; Default: mschap2, mschap1, chap, pap) Allowed authentication methods.
certificate (string | none; Default: none)
comment (string; Default: ) Descriptive name of an item
connect-to (IP:Port; Default: 0.0.0.0:443) Remote address and port of SSTP server.
default-route-distance (byte [0..255]; Default: 1) sets distance value applied to auto created default route, if add-default-route is also selected
dial-on-demand (yes | no; Default: no) connects to AC only when outbound traffic is generated. If selected, then route with gateway address from 10.112.112.0/24 network will be added while connection is not established.
disabled (yes | no; Default: yes) Whether interface is disabled or not. By default it is disabled.
http-proxy (IP:Port; Default: 0.0.0.0:443) Address and port of HTTP proxy server.
keepalive-timeout (integer | disabled; Default: 60) Sets keepalive timeout in seconds.
max-mru (integer; Default: 1500) Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation.
max-mtu (integer; Default: 1500) Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation.
mrru (disabled | integer; Default: disabled) Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >>
name (string; Default: ) Descriptive name of the interface.
password (string; Default: "") Password used for authentication.
pfs (yes | no; Default: no) Enables "Perfect Forward Secrecy" which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work.
profile (name; Default: default-encryption) Used PPP profile.
user (string; Default: ) User name used for authentication.
tls-version (any | only-1.2; Default: any) Specifies which TLS versions to allow
verify-server-certificate (yes | no; Default: no) If set to yes, then client checks whether certificate belongs to the same certificate chain as server's certificate. To make it work CA certificate must be imported.
verify-server-address-from-certificate (yes | no; Default: yes) If set to yes, server's IP address will be compared to one set in certificate. Read More >>

Quick example

This example demonstrates how to set up SSTP client with username "sstp-test", password "123" and server 10.1.101.1

/interface sstp-client add user=sstp-test password=123 connect-to=10.1.101.1 disabled=no
/interface sstp-client print
Flags: X - disabled, R - running
 0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=10.1.101.1:443 
      http-proxy=0.0.0.0:443 certificate=none verify-server-certificate=no 
      verify-server-address-from-certificate=yes user="sstp-test" password="123" 
      profile=default keepalive-timeout=60 add-default-route=no dial-on-demand=no
      authentication=pap,chap,mschap1,mschap2 

SSTP Server

Sub-menu: /interface sstp-server

This sub-menu shows interfaces for each connected SSTP client.

An interface is created for each tunnel established to the given server. There are two types of interfaces in SSTP server's configuration

  • Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
  • Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).

Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.

Icon-note.png

Note: in both cases PPP users must be configured properly - static entries do not replace PPP configuration.



Server configuration

Sub-menu: /interface sstp-server server

Properties:

Property Description
authentication (pap | chap | mschap1 | mschap2; Default: pap,chap,mschap1,mschap2) Authentication methods that server will accept.
certificate (name | none; Default: none) Name of the certificate that SSTP server will use.
default-profile (name; Default: default)
enabled (yes | no; Default: no) Defines whether SSTP server is enabled or not.
force-aes (yes | no; Default: no) Force AES encryption (AES256 is supported). If enabled windows clients (supports only RC4) will be unable to connect.
keepalive-timeout (integer | disabled; Default: 60) If server during keepalive period does not receive any packet, it will send keepalive packets every second five times. If the server does not receives response from the client, then disconnect after 5 seconds. Logs will show 5x "LCP missed echo reply" messages and then disconnect.
max-mru (integer; Default: 1500) Maximum Receive Unit. Max packet size that SSTP interface will be able to receive without packet fragmentation.
max-mtu (integer; Default: 1500) Maximum Transmission Unit. Max packet size that SSTP interface will be able to send without packet fragmentation.
mrru (disabled | integer; Default: disabled) Maximum packet size that can be received on the link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size IP or Ethernet packets to be sent over the tunnel. Read more >>
pfs (yes | no; Default: no) Enables "Perfect Forward Secrecy" which will make sure that private encryption key is generated for each session. Must be enabled on both server and client to work.
port (integer; Default: 443) Port for SSTP service to listen on.
tls-version (any | only-1.2; Default: any) Specifies which TLS versions to allow
verify-client-certificate (yes | no; Default: no) If set to yes, then server checks whether client's certificate belongs to the same certificate chain.


/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server print 
                    enabled: no
                       port: 443
                    max-mtu: 1500
                    max-mru: 1500
                       mrru: disabled
          keepalive-timeout: 60
            default-profile: default
             authentication: pap,chap,mschap1,mschap2
                certificate: none
  verify-client-certificate: no
                  force-aes: no
Icon-warn.png

Warning: It is very important that the date on the router is within the range of the certificate's date of expiration. To overcome any certificate verification problems, enable NTP date synchronization on both server and client.


Monitoring

Monitor command can be used to monitor status of the tunnel on both client and server.

/interface sstp-server monitor 0
     status: "connected"
     uptime: 17m47s
  idle-time: 17m47s
       user: "sstp-test"
  caller-id: "10.1.101.18:43886"
        mtu: 1500

Read-only properties

Property Description
status () Current SSTP status. Value other than "connected" indicates that there are some problems estabising tunnel.
uptime (time) Elapsed time since tunnel was established.
idle-time (time) Elapsed time since last activity on the tunnel.
user (string) Username used to establish the tunnel.
mtu (integer) Negotiated and used MTU
caller-id (IP:ID)

Application Examples

Connecting Remote Client

The following example shows how to connect a computer to a remote office network over secure SSTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without the need for bridging over EoIP tunnels)


Consider following setup:

Sstp-rem-office.png

Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router's public IP (in our example it is 192.168.80.1).


Before you begin to configure SSTP you need to create a server certificate and import it into the router (instructions here).

Now it is time to create a user:

/ppp secret add name=Laptop service=sstp password=123 local-address=10.1.101.1 \
    remote-address=10.1.101.100
/ppp secret print detail
Flags: X - disabled
  0   name="Laptop" service=sstp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""

Notice that SSTP local address is the same as the router's address on the local interface and the remote address is from the same range as the local network (10.1.101.0/24).

Next step is to enable SSTP server and SSTP client on the laptop:

/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set authentication=mschap2
/interface sstp-server server print
                     enabled: yes
                        port: 443
                     max-mtu: 1500
                     max-mru: 1500
                        mrru: disabled
           keepalive-timeout: 60
             default-profile: default
                 certificate: server
  verify-client-certificate: no
              authentication: mschap2

Notice that authentication is set to mschap. These are the only authentication options that are valid to establish a secure tunnel.


SSTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.

Please, consult the respective manual on how to set up a SSTP client with the software you are using. If you set up SSTP client on Windows and self-signed certificates are used, then CA certificate should be added to trusted root.

Icon-note.png

Note: Currently, SSTP is only fully supported on recent Windows OS releases such as Vista SP1, Windows 7, Windows 8, Windows 2008 etc. With other OS's such as Linux, results cannot be guaranteed.



To verify if SSTP client is connected

/interface sstp-server print 
Flags: X - disabled, D - dynamic, R - running 
 #     NAME      USER         MTU        CLIENT-ADDRESS    UPTIME   ENCODING   
 0  DR <sstp-... Laptop     1500       10.1.101.18:43886 1h47s  
/interface sstp-server monitor 0
     status: "connected"
     uptime: 1h45s
  idle-time: 1h45s
       user: "Laptop"
  caller-id: "192.168.99.1:43886"
        mtu: 1500

At this point (when SSTP client is successfully connected) if you try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface

/interface ethernet set ether2 arp=proxy-arp
/interface ethernet print
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS         ARP
  0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
  1  R ether2              1500  00:30:4F:06:62:12 proxy-arp

After proxy-arp is enabled client can successfully reach all workstations in the local network behind the router.

Site-to-Site SSTP

The following is an example of connecting two Intranets using SSTP tunnel over the Internet.

Consider following setup:

Site-to-site-sstp-example.png

Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2. In this example both local networks are routed through SSTP client, thus they are not in the same broadcast domain. To overcome this problem as with any other ppp tunnel, SSTP also supports BCP which allows it to bridge SSTP tunnel with a local interface.

First step is to create a user:

/ppp secret add name=Home service=sstp password=123 local-address=172.16.1.1 \
  remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
/ppp secret print detail
Flags: X - disabled
  0   name="Home" service=sstp caller-id="" password="123" profile=default
      local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.202.0/24 172.16.1.2 1"

Notice that we set up SSTP to add a route whenever the client connects. If this option is not set, then you will need a static routing configuration on the server to route traffic between sites through the SSTP tunnel.

Now we need to upload and import CA and server/client certificates. Assuming that the files are already uploaded use following commands:

/certificate import file-name=ca.crt
passphrase: 
/certificate import file-name=server.crt
passphrase: ****
/certificate import file-name=server.key
passphrase: ****

Edit names to something more meaningful:

/certificate set 0 name=CA
/certificate set 1 name=server
/certificate print 
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0  D name="CA" subject=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv 
      issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv 
      serial-number="DF626FA846090BCC" email=xx@mt.lv invalid-before=jun/25/2008 07:23:50 
      invalid-after=jun/23/2018 07:23:50 ca=yes 

 1 KR name="server" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=xx@mt.lv 
      issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xx@mt.lv serial-number="01" 
      email=xx@mt.lv invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33 
      ca=yes 

Do the same on client side, but instead of server's certificate import client's certificate.


Next step is to enable SSTP server on the office router:

/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set verify-client-certificate=yes
/interface sstp-server server print
                     enabled: yes
                        port: 443
                     max-mtu: 1500
                     max-mru: 1500
                        mrru: disabled
           keepalive-timeout: 60
             default-profile: default
                 certificate: server
  verify-client-certificate: yes
              authentication: pap,chap,mschap1,mschap2

Now configure SSTP client on the Home router:

/interface sstp-client add user=Home password=123 connect-to=192.168.80.1 disabled=no \
  certificate=client verify-server-certificate=yes
/interface sstp-client print
Flags: X - disabled, R - running
 0  R name="sstp-out1" max-mtu=1500 max-mru=1500 mrru=disabled connect-to=192.168.80.1:443 
       user="Home" password="123" proxy=0.0.0.0:443 profile=default certificate=client
       keepalive-timeout=60 add-default-route=no dial-on-demand=no 
       authentication=pap,chap,mschap1,mschap2 verify-server-certificate=yes

Now we need to add static route on Home router to reach local network behind Office router:

/ip route add dst-address=10.1.101.0/24 gateway=sstp-out1

After tunnel is established you should be able to ping remote network.

Troubleshooting

After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?
MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle.
Disable verify-client-certificate option on the server.
I get following error "Encryption negotiation rejected”.
Disable use-encryption option in ppp profile.

Read More


[ Top | Back to Content ]