How to use mikrotik sstp with windows 7 and above

How to use Mikrotik SSTP server with windows 7 and above

First of all you need to create cerficates: CA (Certification authority) and Server

You can use openssl or create certificate right in mikrotik (http://wiki.mikrotik.com/wiki/Manual:Create_Certificates)

In this case we generate certificates in Mikrotik RouterOS 6

Make certificate templates

/certificate
add name=ca-template common-name=CA key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server

Sign certificates and add CRL url. We will use IP address of the server as CRL URL.

/certificate 
sign ca-template name=CA ca-crl-host=IP_ADDRESS
sign server-template ca=CA name=server

If certificate does not have T flag then you need to set it as trusted before using it:

/certificate
set CA trusted=yes
set server trusted=yes

Export client certificates with keys and CA certificate:

/certificate export-certificate CA

After this command see your certificate in Files with name cert_export_CA.crt

Install cert_export_CA.crt in Windows certmgr.msc in Trusted Root Certificates for local computer https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

Setup Mikrotik SSTP server

/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=default-encryption enabled=yes force-aes=yes max-mru=1400 max-mtu=1400 mrru=1500 pfs=yes

Troubleshooting

After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?

MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.

After Windows 7 upgrade SSTP is unable to connect (windows error 631) ?

MS Patch KB2585542 changes cypher to RC4 which was not supported on RouterOS. Starting from RouterOS v5.13 RC4 is the preferred cipher and AES will be used only if peer does not advertise RC4.

I get following error when trying to connect Windows 7 client. Error 0x80070320 The oplock that was associated with this handle is now associated with a different handle.

Disable verify-client-certificate option on the server.

I get following error «Encryption negotiation rejected”.

Disable use-encryption option in ppp profile.