VPN Issues With New Airport Extreme 802.11n

An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."

Solution? Put 'er in the DMZ....

[karnal]

From the link; use the "default host" option:

In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.

The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).

According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.

So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...

That's just... ick.

How is this news?

[avalys]

Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?

Re:How is this news?

[karnal]

I don't believe the issue with the new Airport has anything at all to do with the 802.11n spec - it seems to be an internal routing functionality issue.

Re:How is this news?

[avalys]

It's not a problem with all VPNs, just a specific brand of VPN client (Nortel Contivity), that is known to be flaky on gear from a number of manufacturers, not just Apple.

DD-WRT

[AnyThingButWindows]

Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.

I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.

WRT54GL: http://www.newegg.com/product/product.asp?item=N82 E16833124190
DD-WRT: http://www.dd-wrt.com/

Re:well gee

[Dunbal]

it's a basic law of selling stuff to test it with one of everything it could be doing up to a reasonable point BEFORE it ships.

      This is true of every industry EXCEPT software. Haven't you noticed?

/. is better than reporting it to Apple

[Lank]

I find it amusing that by this making the front page of slashdot, this will probably get sorted out much more quickly than had they gone through the proper channels over at Apple.

Why is this news?

[erroneus]

People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.

Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.

This is news why?

[Andy+Dodd]

It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.

As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.

Re:This is news why?

[bunco]

I succesfully ran Contivity through a PIX for years. Having recently moved to DD-WRT, Contivity works for _most apps_. Unfortunately, interactive data services like SSH seem to be very fragile now. I know it's due to packet loss though I cannot figure out why iptables isn't forwarding the packets. I've watched the counters for the connection and it's in no danger of timing out.

I will agree that Contivity is a finicky pile of poop. Cisco and Checkpoint's clients are far better.

Re:Solution? Put 'er in the DMZ....

[wootest]

That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".

Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.

RFC 3948 and NAT Traversal

[calmdude]

Nortel Contivity client has long sucked, and most people use older versions that don't support UDP encapsulation and NAT Traversal. Getting TCP IPsec to work is an issue not just with the Airport, but with many firewalls. Try connecting a Nortel Contivity client from behind a PIX/ASA/IOS CBAC, or Netscreen for that matter (with default settings). Stateful filtering and NAT will break the VPN.

Re:RFC 3948 and NAT Traversal

[calmdude]

You're using a newer Contivity client, and your organization has enabled NAT-T on their Nortel endpoint.

A lot of larger corporations use the older client -- Contivity 3.x which doesn't support NAT-T, or they choose to not enable NAT-T on the gateway. This is the case with a lot of Fortune 100 companies.

Re:Can someone explain...

[Andy+Dodd]

"The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer."

No, the issue is that without this workaround, you can't connect one specific VPN client (Nortel Contivity) to an external VPN server. All of the problem reports except for one are with Nortel Contivity, a VPN client which is notorious for being finicky as far as working with NAT routers. Trust me, we use it where I work and it breaks with a LARGE variety of routers from various manufacturers.

I know nothing about this Checkpoint client, but it is probably similar to Contivity (In theory, an IPSec implementation, but one that is so badly mangled that it won't speak to any other IPSec implementation other than the one it was specifically designed with. That mangling seems to be related to its tendency to not work well with many NAT routers.)

Re:Jack

[Farmer+Tim]

It's always funny reading the Apple forums - people who know Jack Shit about computers give advice to people who know less and trying to sound all authoritative. ...said the AC in an authoritative voice.

Port Triggering

[thecombatwombat]

OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.

Re:openvpn

[lukas84]

Actually, in my experience, setting up a PPTP server was a complete and total pain in the ass. I had tried PoPToP on my Linux server (didn't know of any other solutions at the time, and wasn't going to Windows for my server), but I got frustrated as all hell trying to get it working. Even when I thought I got it working, I could never get the clients to connect properly. Hmm, i didn't have much problems doing this. For earlier versions of Linux, a kernel patch for MPPE was required, but since then this has been integrated into the Linux kernel. For some time, there was a rather nasty bug in the Linux kernel, preventing MTU detection from working PPTP MTU Problems - but this has been resolved since then.

As far as "nicely integrating with the OS", well, if you want an easy OpenVPN client solution, pick up OpenVPN-GUI for Windows or Tunnelblick for OS X. They're GUI frontends for OpenVPN that, once you get the config and key files into the configuration directories, connect/disconnect with a couple of mouse-clicks. I've looked at these solutions again about half a year ago. At that time, i didn't feel comfortable guiding a sales rep or a person with similar IT know how through the procedure through the phone - this is different with Windows's and OS X's PPTP client - they're idiot proof. And that's my main reason for using it.

And more problems; OpenVPN and u:pw authentication against Active Directory doesn't seem to be easily possible.