Community discussions

MikroTik App
 
niren
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Oct 14, 2013 9:59 am

SSTP VPN for multiple client

Sun Jan 19, 2014 5:04 pm

I have implemented SSTP server in our mikrotik router by these links http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP and http://wiki.mikrotik.com/wiki/SSTP_step-by-step. Right now it is working fine, but I can't implement multiple clients with different certificates.

As of Now: For Mulitple clients, I need to install same certificates(ca.crt and client.crt) in all clients remote laptop to connect to SSTP server of Mikrotik router and I need to install same ca.crt and server.crt certificates in Mikrotik router, then I can have different secrets for all clients.

I want: I need to create different certificates with different validation period for all clients to connect to same SSTP server. Is this possible in SSTP VPN?
 
niren
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Oct 14, 2013 9:59 am

Re: SSTP VPN for multiple client

Tue Feb 04, 2014 11:30 am

@all if any one doesn't understand please let me
 
patrickmkt
Member Candidate
Member Candidate
Posts: 202
Joined: Sat Jul 28, 2012 5:21 pm

Re: SSTP VPN for multiple client

Tue Feb 04, 2014 4:54 pm

You should be able to use a different client certificates in each client as long as it is signed by the same ca.


Serveur: CA.crt + Server.crt (signed by CA) + Server.key

Client1: CA.crt + Client1.crt (signed by CA) + Client1.key
Client2: CA.crt + Client2.crt (signed by CA) + Client2.key

I have been using it so far without any issue on sstp up to v6.7 as v6.9 has something broken in the encryption stack.
It is also working with OVPN.
 
niren
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 76
Joined: Mon Oct 14, 2013 9:59 am

Re: SSTP VPN for multiple client

Thu Feb 06, 2014 5:17 pm

SSTP is not working as I expected. I have created certificate Manually as per this link: http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

Certificate Installed in SSTP server: server.crt + ca.crt
Certificate Installed in SSTP client: client.crt + ca.crt

Certificated selected in SSTP server: ca.crt (If I select server.crt, connection won't be established)
SSTP Client = ca.crt in TrustedRootCertificates, client.crt in Personal.

Regardless of client.crt is installed or not, connection is established once I import ca.crt in TrustedRootCerificate since SSTP server has selected ca.crt. so connection got established after I installed ca.crt in both end, there is no need of server.crt and client.crt to be installed.

If I import and select server.crt in SSTP server and import client.crt in Personal at client side, connection could not be established.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7198
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: SSTP VPN for multiple client

Thu Feb 06, 2014 5:34 pm

Since you are talking about import ca.crt in TrustedRootCerificate I assume that clients are windows.
As far as I know Micosoft does not support two way certificate validation.
Microsoft client just checks if server certificate is signed by CA in trusted root.
This is also mentioned in documentation
http://wiki.mikrotik.com/wiki/Manual:In ... rtificates
 
patrickmkt
Member Candidate
Member Candidate
Posts: 202
Joined: Sat Jul 28, 2012 5:21 pm

Re: SSTP VPN for multiple client

Thu Feb 06, 2014 8:56 pm

SSTP is not working as I expected. I have created certificate Manually as per this link: http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

Certificate Installed in SSTP server: server.crt + ca.crt
Certificate Installed in SSTP client: client.crt + ca.crt

Certificated selected in SSTP server: ca.crt (If I select server.crt, connection won't be established)
SSTP Client = ca.crt in TrustedRootCertificates, client.crt in Personal.
what you call server.crt, ca.crt and client.crt are they certificate with key (public and private part of the cert) or not?
If you enter the full ca certificate (with its key) on both side that would explain why it's working on your setup.
None of the server nor the clients should have the private part of the ca, just the public (what I called ca.crt). The private part (ca.key) should be used only on another machine for the only purpose of signing the client and server certificates.

To summarize what I wrote before:
on the server you should have the public certificates for ca and server, and the private key for server. Server should be a cert signed by ca.
On the client you should have the public certificate for ca and client, and the private key for client. Client cert should be signed by ca.