Slashdot Mirror
VPN Issues With New Airport Extreme 802.11n
An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."
From the link; use the "default host" option:
In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.
The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).
According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.
So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...
That's just... ick.
Karnal
Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?
This space intentionally left blank.
Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.
2 E16833124190
I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.
WRT54GL: http://www.newegg.com/product/product.asp?item=N8
DD-WRT: http://www.dd-wrt.com/
When government fears the people, there is liberty. When the people fear the government, there is tyranny. - Jefferson
it's a basic law of selling stuff to test it with one of everything it could be doing up to a reasonable point BEFORE it ships.
This is true of every industry EXCEPT software. Haven't you noticed?
Seven puppies were harmed during the making of this post.
I find it amusing that by this making the front page of slashdot, this will probably get sorted out much more quickly than had they gone through the proper channels over at Apple.
Gotta get me one of these!
People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.
Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.
Intelligently I hope!
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.
As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.
retrorocket.o not found, launch anyway?
That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".
Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.
I realize it's supposed to work with VPN and all, but for a new product release this is a fairly minor issue. It'll certainly be fixed in the next firmware update which we are likely to see later this month. I saw two people post that they returned their airports until apple fixes it. That's sort of like returning your new car because the remote trunk release isn't working properly. Too many people expect perfection even on new products.
I do sympathize with the users that need their VPN to work, but when an issue affects only 2% of the customer base it's unreasonable to expect the manufacturer to scramble their entire tech staff to fix it instantly. Be reasonable and they will fix it in a reasonable amount of time.
I work for the Department of Redundancy Department.
Nortel Contivity client has long sucked, and most people use older versions that don't support UDP encapsulation and NAT Traversal. Getting TCP IPsec to work is an issue not just with the Airport, but with many firewalls. Try connecting a Nortel Contivity client from behind a PIX/ASA/IOS CBAC, or Netscreen for that matter (with default settings). Stateful filtering and NAT will break the VPN.
[blockquote]Either your comment is stupid or Apple customers are stupid.[/blockquote] You seem to have negated the possibility that both statements are true.
"The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer."
No, the issue is that without this workaround, you can't connect one specific VPN client (Nortel Contivity) to an external VPN server. All of the problem reports except for one are with Nortel Contivity, a VPN client which is notorious for being finicky as far as working with NAT routers. Trust me, we use it where I work and it breaks with a LARGE variety of routers from various manufacturers.
I know nothing about this Checkpoint client, but it is probably similar to Contivity (In theory, an IPSec implementation, but one that is so badly mangled that it won't speak to any other IPSec implementation other than the one it was specifically designed with. That mangling seems to be related to its tendency to not work well with many NAT routers.)
retrorocket.o not found, launch anyway?
It's always funny reading the Apple forums - people who know Jack Shit about computers give advice to people who know less and trying to sound all authoritative. ...said the AC in an authoritative voice.
Blank until
I use OpenVPN a lot, but only for site-to-site configurations. For roadwarriors, i recommend PPTP.
Why?
Both OS X and Windows (from 2000) have a native PPTP client. PPTP uses GRE, so it doesn't work with routers that don't support VPN Passthrough, but nearly 99% do. The ease of deployment of PPTP is massive - OpenVPN requires a lot more work, and isn't as nicely integrated into the OS as PPTP on both OS X and Windows.
For the server side, you can create a PPTP server on almost everything. I usually use Linux boxes with authentication against active directory. But Windows Server can also play PPTP servers, which is especially nice in Small Business Environments.
But when 2 Linux Boxes are involved, OpenVPN is king. It can even get through the most restrictive firewalls, which can be kinda nice. And it works flawlessly. I use it to connect branch offices or for remote maintenance for key customers.
OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.
Correct: it is a workaround offered by a user, and surely firmware updates will straighten things out. Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs. My confidence in Apple to provide an upgrade to the problem has nothing to do with the fact that it is a problem now, and that the workaround - offered by Apple or not - is crap when compared to a real fix.
My comment's parent was arguing that vending a computer directly to the Internet is acceptable and even to be preferred instead of "having to hide behind some shitty, ineffective firewall". Then he got started on Mac OS X's security record, which really has nothing to do with anything other than, in effect, making the workaround a little less horrible. He got labelled a Troll, and that seems fairly accurate.
I am not trying to tell Apple they suck - and believe you me, I would if *they* offered the workaround as a permanent solution, which they assuredly won't. I'm saying that embracing the workaround as somehow a better state of affairs than a functional solution (see, again, my comment's parent) is foolish.
Actually, in my experience, setting up a PPTP server was a complete and total pain in the ass. I had tried PoPToP on my Linux server (didn't know of any other solutions at the time, and wasn't going to Windows for my server), but I got frustrated as all hell trying to get it working. Even when I thought I got it working, I could never get the clients to connect properly. On the other hand, I had very few problems setting up OpenVPN as a server once I read through the HOWTO on their site thoroughly. I've set up two different OpenVPN server setups, one bridged and one routed, and both work fine with a minimum of hassle.
As far as "nicely integrating with the OS", well, if you want an easy OpenVPN client solution, pick up OpenVPN-GUI for Windows or Tunnelblick for OS X. They're GUI frontends for OpenVPN that, once you get the config and key files into the configuration directories, connect/disconnect with a couple of mouse-clicks. I use both extensively to connect to my home network, and never have had an issue.
Just my $.02...
And more problems; OpenVPN and u:pw authentication against Active Directory doesn't seem to be easily possible.