How to use Mikrotik SSTP server with windows 7 and above
First of all you need to create cerficates: CA (Certification authority) and Server
You can use openssl or create certificate right in mikrotik (http://wiki.mikrotik.com/wiki/Manual:Create_Certificates)
In this case we generate certificates in Mikrotik RouterOS 6
Make certificate templates
/certificate add name=ca-template common-name=CA key-usage=key-cert-sign,crl-sign add name=server-template common-name=server
Sign certificates and add CRL url. We will use IP address of the server as CRL URL.
/certificate sign ca-template name=CA ca-crl-host=IP_ADDRESS sign server-template ca=CA name=server
If certificate does not have T flag then you need to set it as trusted before using it:
/certificate set CA trusted=yes set server trusted=yes
Export client certificates with keys and CA certificate:
/certificate export-certificate CA
After this command see your certificate in Files with name cert_export_CA.crt
Install cert_export_CA.crt in Windows certmgr.msc in Trusted Root Certificates for local computer https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx
Setup Mikrotik SSTP server
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=default-encryption enabled=yes force-aes=yes max-mru=1400 max-mtu=1400 mrru=1500 pfs=yes
Troubleshooting
- After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?
- MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
- After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?
- MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.
- I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle.
- Disable verify-client-certificate option on the server.
- I get following error «Encryption negotiation rejected”.
- Disable use-encryption option in ppp profile.