Softether to Routerboard site-to-site

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Posts: 29
Joined: Thu Sep 19, 2019 7:18 pm

Softether to Routerboard site-to-site

Post by ozone » Thu Sep 19, 2019 8:38 pm

Hi everyone,

For some years I've running a few Softether (SE) servers configured as SSTP site-to-site vpn's and SSTP-vpn servers for windows clients.

This works well....

Recently I'm trying to set up a SSTP-site-to-site tunnel from (or to) a Mikrotik Routerboard (RB) device.

Windows clients (build in client) can connect to both types without a problem.
The RB-client CAN connect to the RB-sstp-server and,
the Softether client CAN connect to the Softhether SSTP server.
But they have trouble connecting to each other directly (RB-client->SE-server or SE-client->RB-server).

If you let a RB-SSTP-client connect to the Softether server, it connect ONLY with RC4 encryption (apparently the only cypher they can both agree on).
If you let a Softhether-client (or cascade) connect to the RB-sstp-server, it will fail completely since it NEEDS a hub-name entered before you can "OK" the settings. The RB-server however does not work with (virtual)hubs.

Is there a way to allow a higher cipher (AES256 >) for the combination RB-client -> Softeher-server?
Is there a way to persuade the Softether-client (cascade) NOT to enter a hub and still connect to the RB-server?

I love the "Softether-way", but unfortunately I am not in charge of all remote sites, and they may choose different products like the RB.
We however still need to create secure tunnels between them.

Hope to hear if there is a way to fix this.

Thank You.

Posts: 29
Joined: Thu Sep 19, 2019 7:18 pm

Re: Softether to Routerboard site-to-site

Post by ozone » Tue Oct 01, 2019 8:22 pm

Oh, come on people.... 1100+ views in just over a week... Not a single response.

This is clearly something many people are at least a bit interested in.
But no one, including none of the SE mod's, bothered to comment. Very disappointing.

OK, I realize that not everyone uses this combination.
But using a very outdated cipher (RC4) over a standardized interface (like SSTP) is very unwise.
As described in the previous post, only the RB->SE vpn over SSTP has this issue.
Windows->SE or Windows->RB over SSTP both do not. The latter two both encrypt AES256.
So both RB and SE can do better as RC4. But that is what the connection-handshake works out.
You can view this a bug... a vulnerability... a weak-point at the very least.

In the other direction, so from SE (cascade-client)->RB-server it simply does not work, because of the mandatory "hub" entry setting.

So... If there are readers that find this matter of interest too, please comment.
Maybe someone knows a workaround??
Also, if no-one reacts, SE-programmers have no incentive to look at it for just one user.
If more people think this is a good idea, they might.

I really hope that someone can fix this.
Please react... Hopefully also SE-folks.

Thank you.

Post Reply