Slashdot Mirror
VPN Issues With New Airport Extreme 802.11n
An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."
From the link; use the "default host" option:
In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.
The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).
According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.
So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...
That's just... ick.
Karnal
it's a basic law of selling stuff to test it with one of everything it could be doing up to a reasonable point BEFORE it ships.
This is true of every industry EXCEPT software. Haven't you noticed?
Seven puppies were harmed during the making of this post.
I find it amusing that by this making the front page of slashdot, this will probably get sorted out much more quickly than had they gone through the proper channels over at Apple.
Gotta get me one of these!
People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.
Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.
I don't believe the issue with the new Airport has anything at all to do with the 802.11n spec - it seems to be an internal routing functionality issue.
Karnal
That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".
Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.
I realize it's supposed to work with VPN and all, but for a new product release this is a fairly minor issue. It'll certainly be fixed in the next firmware update which we are likely to see later this month. I saw two people post that they returned their airports until apple fixes it. That's sort of like returning your new car because the remote trunk release isn't working properly. Too many people expect perfection even on new products.
I do sympathize with the users that need their VPN to work, but when an issue affects only 2% of the customer base it's unreasonable to expect the manufacturer to scramble their entire tech staff to fix it instantly. Be reasonable and they will fix it in a reasonable amount of time.
I work for the Department of Redundancy Department.
Wrong.
I've been using Nortel Contivity Client from behind a PIX (subject to interface PAT) for 3 years without any problem.
Correct: it is a workaround offered by a user, and surely firmware updates will straighten things out. Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs. My confidence in Apple to provide an upgrade to the problem has nothing to do with the fact that it is a problem now, and that the workaround - offered by Apple or not - is crap when compared to a real fix.
My comment's parent was arguing that vending a computer directly to the Internet is acceptable and even to be preferred instead of "having to hide behind some shitty, ineffective firewall". Then he got started on Mac OS X's security record, which really has nothing to do with anything other than, in effect, making the workaround a little less horrible. He got labelled a Troll, and that seems fairly accurate.
I am not trying to tell Apple they suck - and believe you me, I would if *they* offered the workaround as a permanent solution, which they assuredly won't. I'm saying that embracing the workaround as somehow a better state of affairs than a functional solution (see, again, my comment's parent) is foolish.
This is a bug that should never make it past QA. VPN isn't exactly an obscure concept that few people ever use. This show lack of testing, not your average bug.