Slashdot Mirror
VPN Issues With New Airport Extreme 802.11n
An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."
Personally, I can't seem to be able to work in the Airport - Let alone manage to fire-up my VPN to work. When traveling, you have soo much more to worry about, like TSA, and loosing your luggage... Who has time for computing?
From the link; use the "default host" option:
In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.
The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).
According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.
So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...
That's just... ick.
Karnal
Jesus. Get a grip. It's a bug. This happens all the time with software. Actually, I'll be off now whining about that my wireless card hangs under linux.
Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?
This space intentionally left blank.
Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.
2 E16833124190
I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.
WRT54GL: http://www.newegg.com/product/product.asp?item=N8
DD-WRT: http://www.dd-wrt.com/
When government fears the people, there is liberty. When the people fear the government, there is tyranny. - Jefferson
it's a basic law of selling stuff to test it with one of everything it could be doing up to a reasonable point BEFORE it ships.
This is true of every industry EXCEPT software. Haven't you noticed?
Seven puppies were harmed during the making of this post.
(1) It's Sunday, when not very many things happen (aka, slownewsday)
(2) It's an Apple product. Geekiness is inherent.
(3) It's an Apple product. Bugs are rare, and therefore news.
Take your pick.
I find it amusing that by this making the front page of slashdot, this will probably get sorted out much more quickly than had they gone through the proper channels over at Apple.
Gotta get me one of these!
People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.
Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.
This isn't windows. OSX is a reasonably secure OS, and it works fine without having to hide behind some shitty, ineffective firewall. I have over 200 OSX boxes with public IPs, and I'm not particularly worried about them.
The internet, in general, works better when you have a real connection.
Intelligently I hope!
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.
As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.
retrorocket.o not found, launch anyway?
... what the issue is? When I click the link to the forum post, this is the question:
"I am considering buying this new Airport, but I will need to set up a VPN between it and my work location. Can this device cope with doing that? The old Airport Extreme could not."
This doesn't seem to have anything to do with the summary. The old Airport Extreme could not? The summary says "These issues were not experienced in Apple's earlier Airport Extreme".
Does this mean I can't use my Cisco VPN client to connect to my work VPN? Or are people trying to use the Airport Extreme Base Station as VPN hardware (which it is not)?
That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".
Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.
I realize it's supposed to work with VPN and all, but for a new product release this is a fairly minor issue. It'll certainly be fixed in the next firmware update which we are likely to see later this month. I saw two people post that they returned their airports until apple fixes it. That's sort of like returning your new car because the remote trunk release isn't working properly. Too many people expect perfection even on new products.
I do sympathize with the users that need their VPN to work, but when an issue affects only 2% of the customer base it's unreasonable to expect the manufacturer to scramble their entire tech staff to fix it instantly. Be reasonable and they will fix it in a reasonable amount of time.
I work for the Department of Redundancy Department.
Nortel Contivity client has long sucked, and most people use older versions that don't support UDP encapsulation and NAT Traversal. Getting TCP IPsec to work is an issue not just with the Airport, but with many firewalls. Try connecting a Nortel Contivity client from behind a PIX/ASA/IOS CBAC, or Netscreen for that matter (with default settings). Stateful filtering and NAT will break the VPN.
This is not a fault in their product, it's your fault for trying to do it.
There may or may not be a fix for it in the next few weeks, but until then, just appreciate the aesthetics of your over-priced hardware.
lots of love,
SteveyJ
xxx
Do you want to know about the problem before or after you buy the product?
--
VancouverCondo.Info
I don't own one of these devices so I cannot test this for sure, but instead of blindly forwarding everything to a "default host" (I presume this is like "DMZ mode" on other routers), has anyone tried forwarding requisite ports?
Most VPN clients encapsulate ESP packets in UDP for NAT traversal. It sounds to me like the router's handling of pseudo-stateful connections (how firewalls handle protocols like UDP in a stateful fashion) is broken. If it were _completely_ broken, DNS queries wouldn't work either. Anway... blindly forwarding everything would fix this by ensuring that all related return packets are forwarded to the VPN client.
It's always funny reading the Apple forums - people who know Jack Shit about computers give advice to people who know less and trying to sound all authoritative. ...said the AC in an authoritative voice.
Blank until
One of the (many) nice things about openvpn is how it seems to work very well without requiring monkeying around needed on your hardware - you have to add/enable the tun/tap drivers on the client machine, but that's about it. I've been using it for about a year, connecting from my OS X laptop to my linux box at work. I've also, for testing's sake, connected from a Windows box without problems.
Openvpn is quite straightforward to set up, secure, cross-platform, and FREE.
#DeleteChrome
And I still trust an AC on /. than Steve Wonderful Jobs on an Apple forum. Take your pick.
I haven't tried it on a Mac, but in many cases a system connected via VPN still allows on subnet communication. With out a stateful firewall on the host local attacks get right to the system.
So? It's a work-around, and as far as I can tell, one not posted by Apple but by another user on a forum. You know, work-around? Since the AirPort firmware is easily upgraded wirelessly using the AirPort admin software, I've no doubt that an update will be forthcoming.
As to "that still wouldn't be a justification for an obvious bug in the base station's firmware", perhaps you'd like to point me to ANY other piece of complex software that contains no bugs whatsoever?
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I'll bite.
Can't windows connect to an Airport Extreme? If so, I'd see it as no different than an issue with any other home networking gear. Doesn't matter what's on the other side of the router; having it in the DMZ is pretty foolish from a network administration point of view (yup, I'm a network admin.)
Karnal
OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.
Correct: it is a workaround offered by a user, and surely firmware updates will straighten things out. Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs. My confidence in Apple to provide an upgrade to the problem has nothing to do with the fact that it is a problem now, and that the workaround - offered by Apple or not - is crap when compared to a real fix.
My comment's parent was arguing that vending a computer directly to the Internet is acceptable and even to be preferred instead of "having to hide behind some shitty, ineffective firewall". Then he got started on Mac OS X's security record, which really has nothing to do with anything other than, in effect, making the workaround a little less horrible. He got labelled a Troll, and that seems fairly accurate.
I am not trying to tell Apple they suck - and believe you me, I would if *they* offered the workaround as a permanent solution, which they assuredly won't. I'm saying that embracing the workaround as somehow a better state of affairs than a functional solution (see, again, my comment's parent) is foolish.
Uh. Correction. Minus: "Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs." Plus: "Correct: no piece of complex software (and almost no pieces of easy software as well) are free of bugs."
Ooops, what happened there then ?
go ahead, mod me troll, I'm getting used to ituse the ethernet cable is it that hard? really?
DD-WRT has become a pay-to-play Firmware, any advanced features like decent QoS are pay for model now.
;)
DD-WRT is too 'new', its not using parts written by Linksys that actually work (LIke UPNP on ichat for instance).
Solution? The FULLY open source tomato firmware. Based on Linksys and built on top of, with a modern modular AJAX interface. Hands down, the best.
http://www.polarcloud.com/tomato
View video demos of its interface. I won't go back to OpenWRT or DD-WRT. You say DD-WRT, I say Tomato
[This comment was deleted by an Apple forum moderator.]
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Once again, we see how hip on security (and even proper programming methods) Apple really is.
Despite the Apple-funded FUD, Apple (and similarly, Lunix) is entirely dependent upon it's security through obscurity. They may get some fools to believe they don't need security because they are running Apple... but anyone with more than half a brain knows that's a load of crap.
MOAB raised awareness. Expect the whole house of cards to start coming down, and probably pretty soon, too.
It may be that in the name of "security from internal malware" (I cannot see any reason for SPI firewalls to exist in NAT routers other than to protect the outside world from internal machines infected with malware, and the behavior of Netgear's SPI implementation confirms this suspicion that SPI is all about protecting the world from you instead of the other way around.), Apple added some sort of SPI firewall to their new routers.
I am not too familiar with other vendor implementations, but I know that Netgear's SPI firewalls usually seem to serve no purpose other than to classify outbound DNS requests as some sort of DoS flood and block it, among other things in the general class of "breaking stuff that is supposed to work", including Contivity VPNs (A coworker recently confirmed this for me, the moment he killed the SPI firewall on his Netgear router he no longer had to open up 4279374072903 ports to get Contivity to work reliably.) Apple's may be similar.
retrorocket.o not found, launch anyway?