VPN Issues With New Airport Extreme 802.11n

An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."

How is this news?

[avalys]

Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?

DD-WRT

[AnyThingButWindows]

Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.

I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.

WRT54GL: http://www.newegg.com/product/product.asp?item=N82 E16833124190
DD-WRT: http://www.dd-wrt.com/

This is news why?

[Andy+Dodd]

It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.

As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.

Re:Can someone explain...

[Andy+Dodd]

"The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer."

No, the issue is that without this workaround, you can't connect one specific VPN client (Nortel Contivity) to an external VPN server. All of the problem reports except for one are with Nortel Contivity, a VPN client which is notorious for being finicky as far as working with NAT routers. Trust me, we use it where I work and it breaks with a LARGE variety of routers from various manufacturers.

I know nothing about this Checkpoint client, but it is probably similar to Contivity (In theory, an IPSec implementation, but one that is so badly mangled that it won't speak to any other IPSec implementation other than the one it was specifically designed with. That mangling seems to be related to its tendency to not work well with many NAT routers.)

Port Triggering

[thecombatwombat]

OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.

Re:openvpn

[lukas84]

Actually, in my experience, setting up a PPTP server was a complete and total pain in the ass. I had tried PoPToP on my Linux server (didn't know of any other solutions at the time, and wasn't going to Windows for my server), but I got frustrated as all hell trying to get it working. Even when I thought I got it working, I could never get the clients to connect properly. Hmm, i didn't have much problems doing this. For earlier versions of Linux, a kernel patch for MPPE was required, but since then this has been integrated into the Linux kernel. For some time, there was a rather nasty bug in the Linux kernel, preventing MTU detection from working PPTP MTU Problems - but this has been resolved since then.

As far as "nicely integrating with the OS", well, if you want an easy OpenVPN client solution, pick up OpenVPN-GUI for Windows or Tunnelblick for OS X. They're GUI frontends for OpenVPN that, once you get the config and key files into the configuration directories, connect/disconnect with a couple of mouse-clicks. I've looked at these solutions again about half a year ago. At that time, i didn't feel comfortable guiding a sales rep or a person with similar IT know how through the procedure through the phone - this is different with Windows's and OS X's PPTP client - they're idiot proof. And that's my main reason for using it.

And more problems; OpenVPN and u:pw authentication against Active Directory doesn't seem to be easily possible.

Re:RFC 3948 and NAT Traversal

[calmdude]

You're using a newer Contivity client, and your organization has enabled NAT-T on their Nortel endpoint.

A lot of larger corporations use the older client -- Contivity 3.x which doesn't support NAT-T, or they choose to not enable NAT-T on the gateway. This is the case with a lot of Fortune 100 companies.