On Friday, 6 April 2018 18:55:18 BST gevisz wrote: > 2018-04-06 2:10 GMT+03:00 Grant Taylor <gtay...@gentoo.tnetconsulting.net>:
> > I'd encourage your friend to check out the VPN capabilities built into > > Windows. He may need to install / configure (R)RAS to enable the > > features. > > Thank you for your advice. He is currently trying to set up RAS with SSTP > but RAS client so far cannot log into the server, while a third party VPN > just works (until the remote computer hangs for so far unknown reason that > even may not be connected with the VPN server). > > We will continue to experiment to find the reason. Typical problems incurred with SSTP are relating to username authentication and TLS certificate selection/configuration. SSTP authenticates OS users, not devices/PCs. So use the *same* username and passwd on all the OS login, SSTP VPN & RRAS wizards. The TLS server certificate has to contain a DN which will resolve to the IP of the server in question, or better use the IP address both in the CN and the X509v3 Subject Alternative Name fields. In addition, the SSTP certificate binding has to use the same TLS certificate with that selected for RRAS and this is not always obvious (for SSTP at least). You can use MSWindow's 'netsh ras show sstp-ssl-cert' command to show the TLS certificate in use by SSTP and compare this with the RRAS certificate selection. It is a bit of a faff, but that's what you get with SSTP. The benefit of it is that it is integrated with MSWindows authentication mechanisms and network stack, allowing easy enterprise wide configuration and management. For your friend's one off VPN set up, OpenVPN, or SoftEther VPN is probably a better MSWindows based option: http://www.softether.org/ https://github.com/SoftEtherVPN/SoftEtherVPN -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
