VPN Issues With New Airport Extreme 802.11n

An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."

Solution? Put 'er in the DMZ....

[karnal]

From the link; use the "default host" option:

In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.

The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).

According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.

So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...

That's just... ick.

DD-WRT

[AnyThingButWindows]

Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.

I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.

WRT54GL: http://www.newegg.com/product/product.asp?item=N82 E16833124190
DD-WRT: http://www.dd-wrt.com/

Why is this news?

[erroneus]

People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.

Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.

Re:How is this news?

[karnal]

I don't believe the issue with the new Airport has anything at all to do with the 802.11n spec - it seems to be an internal routing functionality issue.

This is news why?

[Andy+Dodd]

It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.

As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.

Re:Solution? Put 'er in the DMZ....

[wootest]

That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".

Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.

RFC 3948 and NAT Traversal

[calmdude]

Nortel Contivity client has long sucked, and most people use older versions that don't support UDP encapsulation and NAT Traversal. Getting TCP IPsec to work is an issue not just with the Airport, but with many firewalls. Try connecting a Nortel Contivity client from behind a PIX/ASA/IOS CBAC, or Netscreen for that matter (with default settings). Stateful filtering and NAT will break the VPN.

Port Triggering

[thecombatwombat]

OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.

Re:How is this news?

[avalys]

It's not a problem with all VPNs, just a specific brand of VPN client (Nortel Contivity), that is known to be flaky on gear from a number of manufacturers, not just Apple.