A few months ago, we found a problem with one the Mikrotik Routerboard RB1100AH unit. We discovered that the fans are not working. As we have a cold spare unit, I just transferred the latest backup to the new unit.
After the reboot, everything began to work. That was easy on the first sight. However, I discovered soon that the remote offices are not connected to the central location. The VPN links were down.
Although we restored the latest binary backup that should contain the certificates for the SSTP VPN service, the certificates were unrecognized. Eventually I replaced both certificates and solved the problem.
How I spotted the problem?
The first thing after restoring the backup was to check the routing and Internet access. Then I checked whether the IPSec tunnel up. I thought I had finished the job as everything looked good. To make things more interesting, I updated the new main router to the latest version of the RouterOS software.
After half an hour, I spotted that the branch office is not connected to our main network. I accessed the branch office router and began to check the VPN setting. I knew that there is a small chance that something were wrong with it, but I wanted to be sure that everything is good on that side.
I had also a doubt that maybe there is a bug in the newer version or some incompatibility between the two versions of the RouterOS software. Therefore, I updated the RouterOS software also on the branch office router. As the problem remains after the upgrade, I had to dive deeper into the problem.
The client side
I opened the log on the client side. It was full of the try and fail messages. Here is an example:
jul/07 13:12:19 sstp,ppp,info sstp-out1: initializing...
jul/07 13:12:19 sstp,ppp,info sstp-out1: connecting…
jul/07 13:12:19 sstp,ppp,info sstp-out1: terminating… – internal error (6)
jul/07 13:12:19 sstp,ppp,debug sstp-out1: LCP lowerdown
jul/07 13:12:19 sstp,ppp,debug sstp-out1: LCP down event in initial state
jul/07 13:12:19 sstp,ppp,info sstp-out1: disconnected
I checked the SSTP client settings. The parameters for the remote server, username and password were correct.
The next step was to disable and re-enable the SSTP client. This sometimes solve the problem. I again checked the log and found that there is no change.
The biggest confusion was caused by the line that indicate that the SSTP tunnel was terminated due an internal error. On the first look that means that something is wrong on this side.
I knew that I could repair the client-side VPN on this way. However, as I made major changes on the main router, I decided to leave now the branch office router.
Checking the server side
I began to check the new router. The SSTP server settings looked good. Moreover, the SSTP VPN service depends on the certificates, when the clients are not the Mikrotik devices. We discussed that in this post.
I opened the Certificates store and discovered the root of the problem. The certificates were not recognized and the private key of the router certificate was not found.
I tried to reload the private key of the router certificate. This was unsuccessful. The router was display certificates and all seemed well, just did not work.
I spent maybe ten minutes trying to repair the certificates. Eventually, I deleted both the Root CA and Router certificates; then load them again. Now we have properly loaded and decrypted certificate for the router. As I mention in this post, we never give the private key of the root CA certificate.
I renamed the certificates with the friendly names. We have one more step in this procedure. As we deleted the old certificates, the Mikrotik router will disassociate them from the SSTP service.
I opened the properties for the SSTP service and I chose appropriate certificate from the drop down list.
After I clicked on the button [ Apply ], the SSTP VPN connections are established. We solved the problem and another case is closed.