Softether to Routerboard site-to-site

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Softether to Routerboard site-to-site

Post by ozone » Thu Sep 19, 2019 8:38 pm

Hi everyone,

For some years I've running a few Softether (SE) servers configured as SSTP site-to-site vpn's and SSTP-vpn servers for windows clients.

This works well....

Recently I'm trying to set up a SSTP-site-to-site tunnel from (or to) a Mikrotik Routerboard (RB) device.

Windows clients (build in client) can connect to both types without a problem.
The RB-client CAN connect to the RB-sstp-server and,
the Softether client CAN connect to the Softhether SSTP server.
But they have trouble connecting to each other directly (RB-client->SE-server or SE-client->RB-server).

If you let a RB-SSTP-client connect to the Softether server, it connect ONLY with RC4 encryption (apparently the only cypher they can both agree on).
If you let a Softhether-client (or cascade) connect to the RB-sstp-server, it will fail completely since it NEEDS a hub-name entered before you can "OK" the settings. The RB-server however does not work with (virtual)hubs.

Is there a way to allow a higher cipher (AES256 >) for the combination RB-client -> Softeher-server?
Or
Is there a way to persuade the Softether-client (cascade) NOT to enter a hub and still connect to the RB-server?


I love the "Softether-way", but unfortunately I am not in charge of all remote sites, and they may choose different products like the RB.
We however still need to create secure tunnels between them.


Hope to hear if there is a way to fix this.

Thank You.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: Softether to Routerboard site-to-site

Post by ozone » Tue Oct 01, 2019 8:22 pm

Oh, come on people.... 1100+ views in just over a week... Not a single response.

This is clearly something many people are at least a bit interested in.
But no one, including none of the SE mod's, bothered to comment. Very disappointing.

OK, I realize that not everyone uses this combination.
But using a very outdated cipher (RC4) over a standardized interface (like SSTP) is very unwise.
As described in the previous post, only the RB->SE vpn over SSTP has this issue.
Windows->SE or Windows->RB over SSTP both do not. The latter two both encrypt AES256.
So both RB and SE can do better as RC4. But that is what the connection-handshake works out.
You can view this a bug... a vulnerability... a weak-point at the very least.

In the other direction, so from SE (cascade-client)->RB-server it simply does not work, because of the mandatory "hub" entry setting.


So... If there are readers that find this matter of interest too, please comment.
Maybe someone knows a workaround??
Also, if no-one reacts, SE-programmers have no incentive to look at it for just one user.
If more people think this is a good idea, they might.

I really hope that someone can fix this.
Please react... Hopefully also SE-folks.

Thank you.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: Softether to Routerboard site-to-site

Post by ozone » Sun Oct 20, 2019 1:37 am

Hi,

1 month and 3000+ views later, not a single response. But there is apparently sufficient interest for this combination as the counter keeps going.
Maybe split it up in 2 separate scenarios then. That might be easier for the developers.

1) The most likely and already semi-working: Mikrotik sstp-client connect to SE-sstp server.
2) The less likely, and currently totally dysfunct option: SE-client connect to Mikrotik SSTP-server.

As it is probably moot which way the connection should be brought online in a site-to-site scenario (every Mikrotik device has both client and server build-in, as does every SE-server install), why not focus on "1", as it already works (albeit with only an obsolete rc4-cipher).


So please Softether mods/developers, please take a look at why in scenario "1" the cipher ALWAYS folds back to RC4, while all other clients I've tried (windows-native, android) connect to both types of servers with at least AES256.
The same thing happens when MT-client connect to MT-SSTP server, and also when SE-client connect to SE-sstp server: at least AES256.
Only the combination MT<->SE seems to be an issue.

(The MT device can be downloaded as a VM in various formats, and tried for limited time full-speed, or used indefinitely with speedlimit. https://wiki.mikrotik.com/wiki/Manual:CHR )

Thank you very much in advance.

Oz

Post Reply