VPN Issues With New Airport Extreme 802.11n

An anonymous reader writes "The new Airport Extremes are shipping and some users are reporting problems with certain types of VPN connectivity. There is a work-around posted in Apple's support forums, but the solution is less than ideal. These issues were not experienced in Apple's earlier Airport Extreme, and users are calling for Apple to fix the issue. Some have even taken their unit back to Apple until a fix is created."

Solution? Put 'er in the DMZ....

[karnal]

From the link; use the "default host" option:

In Airport Utility, double-click on the AEBS. In the popup window, click on Internet. Then click on NAT. Check "Enable default host" and set the IP address to what the AEBS has given to your mac.

The Nortel VPN client then works (at least for me anyway - It didn't work before I tried this).

According to the help for the Airport Utility, "A default host is a computer on your network that is exposed to the Internet and receives all inbound traffic." This obviously doesn't sound like a permanent solution but it is definitely a workaround of sorts.

So one recommendation/workaround is to put the device in the DMZ? That's a horrible workaround. Once your VPN connection is up, if it's smart it will disable any other traffic than destined for that VPN connection (and vice versa) but you're still exposed until you get the tunnel running. And that still doesn't eliminate any buffer/driver exploits...

That's just... ick.

Re:

[norkakn]

This isn't windows. OSX is a reasonably secure OS, and it works fine without having to hide behind some shitty, ineffective firewall. I have over 200 OSX boxes with public IPs, and I'm not particularly worried about them.

The internet, in general, works better when you have a real connection.

Re:Solution? Put 'er in the DMZ....

[wootest]

That doesn't change the fact that you shouldn't have to put it in the DMZ in the first place. It's a horrible workaround from a security point-of-view, and it's not even practical - if you have two computers inside that want to use a VPN, you're screwed because you can't have two "default hosts".

Even if Mac OS X was twice as secure as it is - and yes, I'm one of them who thinks that outside of bugs and vulnerabilities that almost every piece of software has (unless it was developed by either NASA or djb), it's reasonably secure because it was designed to be more secure, not just because it enjoys less market share - that still wouldn't be a justification for an obvious bug in the base station's firmware. It's a lucky circumstance that may function as a workaround, but there's no way it actually qualifies as an acceptable solution to anything.

Re:

[shmlco]

So? It's a work-around, and as far as I can tell, one not posted by Apple but by another user on a forum. You know, work-around? Since the AirPort firmware is easily upgraded wirelessly using the AirPort admin software, I've no doubt that an update will be forthcoming.

As to "that still wouldn't be a justification for an obvious bug in the base station's firmware", perhaps you'd like to point me to ANY other piece of complex software that contains no bugs whatsoever?

Re:

[wootest]

Correct: it is a workaround offered by a user, and surely firmware updates will straighten things out. Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs. My confidence in Apple to provide an upgrade to the problem has nothing to do with the fact that it is a problem now, and that the workaround - offered by Apple or not - is crap when compared to a real fix.

My comment's parent was arguing that vending a computer directly to the Internet is acceptable and even

Re:

[wootest]

Uh. Correction. Minus: "Correct: no piece of complex software (and almost no pieces of easy software as well) contain bugs." Plus: "Correct: no piece of complex software (and almost no pieces of easy software as well) are free of bugs."

Re:

[karnal]

I'll bite.

Can't windows connect to an Airport Extreme? If so, I'd see it as no different than an issue with any other home networking gear. Doesn't matter what's on the other side of the router; having it in the DMZ is pretty foolish from a network administration point of view (yup, I'm a network admin.)

Really?

[repvik]

Jesus. Get a grip. It's a bug. This happens all the time with software. Actually, I'll be off now whining about that my wireless card hangs under linux.

Re:

[Afecks]

Did you pay for Linux? Did you pay for a wireless card designed for Linux by the same company that sold you Linux?

You didn't?

Then why did these people pay Apple for the same treatment?

Either your comment is stupid or Apple customers are stupid.

Re:

[EveLibertine]

[blockquote]Either your comment is stupid or Apple customers are stupid.[/blockquote] You seem to have negated the possibility that both statements are true.

Re:

[el_womble]

He said or not xor.

Re:

[repvik]

No, I didn't pay for linux. The card wasn't *designed* for linux either. But really. Shit happens. It's not worthy of a slashdot story. Operating systems and hardware are both horrendously complex. Bugs are guaranteed to show up.

How is this news?

[avalys]

Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?

Re:

[ruiner13]

Not only that, but the 802.11n spec isn't even final yet. So for all practical purposes, it is a beta until it is a standard as there is still a chance the protocol will change.

Re:How is this news?

[karnal]

I don't believe the issue with the new Airport has anything at all to do with the 802.11n spec - it seems to be an internal routing functionality issue.

Re:

[mkiwi]

Okay, a brand-new, just-released product has a bug. Why is this on Slashdot?
It's on Digg, we have to have some coverage or else we'd look responsible!

Re:

[cerberusss]

Why is this on Slashdot?/blockquote If you didn't find it interesting, why did you click on the story to start commenting on it?

Re:

[dutin]

This is a bug that should never make it past QA. VPN isn't exactly an obscure concept that few people ever use. This show lack of testing, not your average bug.

Re:How is this news?

[avalys]

It's not a problem with all VPNs, just a specific brand of VPN client (Nortel Contivity), that is known to be flaky on gear from a number of manufacturers, not just Apple.

Re:

[makomk]

It's not a problem with all VPNs, just a specific brand of VPN client (Nortel Contivity), that is known to be flaky on gear from a number of manufacturers, not just Apple. If you actually read further down the thread, people are reporting issues with AT&T Global Network Dialer and Checkpoint SecureClient... I think Contivity is just the most widely used client that's flaky.

DD-WRT

[AnyThingButWindows]

Although I use Linux, and OS X, I am not a fan of the Airport Extreme. It has a somewhat limited ability in its configurations. I like the Dial-up feature it has that is not common amoung wifi routers for those without broadband. Although it is not my 1st choice of router.

I personally use a Linksys WRT54GL flashed with DD-WRT. They are a complete solution for work environments, and good for home as well. I can get them for $65 a pop, and resell them for $100, and not charge installation. Since they run Linux, you can do almost anything with it. DD-WRT gives it the same, or similar abilities of a $600 router. You can have a hardware VPN solution in the unit as well. The WRT54GL has 16mb ram, and 4mb flash, along with a 200mhz broadcom processor. Its a nice little box. It is a complete solution in most of the networking jobs I do.

WRT54GL: http://www.newegg.com/product/product.asp?item=N82 E16833124190 [newegg.com]
DD-WRT: http://www.dd-wrt.com/ [dd-wrt.com]

Re:

[Eddi3]

I'm also using my two Motorola WR850GPs along with DD-WRT. I have the second router set up halfway between the first router and my parents' room, with DD-WRT, set up as a signal repeater. Very handy.

Re:

[wbd]

Actually, I don't believe the new AirPort Extreme they just released has dial-up (and dial-out) capability.

Picture here: http://www.apple.com/airportextreme/specs.html [apple.com]

Certainly there's no longer a modem port on the back of the unit like on my old pre-extremet Airport "Snow".

Surprised me that they'd drop it. They must believe that dial-up and dial-out is no longer worth supporting. Of course, most of the wifi basestations from other vendors out there out there don't support it and never have. Something wo

Re:well gee

[Dunbal]

it's a basic law of selling stuff to test it with one of everything it could be doing up to a reasonable point BEFORE it ships.

      This is true of every industry EXCEPT software. Haven't you noticed?

/. is better than reporting it to Apple

[Lank]

I find it amusing that by this making the front page of slashdot, this will probably get sorted out much more quickly than had they gone through the proper channels over at Apple.

Re:

[Ed_1024]

I think I can confirm the Slashdot effect:

At the exact moment I pulled up the /. main page and read the headline on 'n', the 'software update' window appeared over it and asked if I wanted to install the fix to the Airport Extreme drivers. Spooky!

Re:

[j h woodyatt]

I find it amusing that not one of the legions of Slashdot geniuses has yet to snoop the packets with tcpdump and notice that the IKE phase 2 ISAKMP packets coming back from the server through the NAT have broken UDP checksums. If that had been in the comments on this thread on Sunday when it was created here, then maybe Slashdot discussion threads would be worth following.

Why is this news?

[erroneus]

People are already asking this. The answer is that the work-around is unacceptable. This is news when it is a Microsoft product. This is news when it's anyone's. Solutions that put users at even further risk is a bad solution.

Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.

Re:

[Angostura]

It's acceptable as a workaround, it isn't acceptable as an alternative to a long-term fix. For various reasons I have one of my Macs diretly connected as the default host for a couple of years now. It has hardly any external services running and I've never encountered any security problems. That's not to say that I won't, of course. But as a short-term workaround, it should be fine.

Re:

[bill_mcgonigle]

Here's what I hate, though. Apple sometimes decides not to fix things. It isn't likely to be the case here, but sometimes they just decide not to fix things.

Oh, it's a new product, they'll fix it - just don't expect products that are a generation back to get any fixes. I reported a bug in Panther three weeks after Tiger was released, with a one line patch, and it was rejected, saying they weren't accepting issues on it anymore. And that's not a minor product.

"until a fix is created"

[chris_eineke]

Intelligently I hope!

This is news why?

[Andy Dodd]

It seems that every complaint in that thread is regarding Nortel's Contivity VPN system.

As someone whose employer uses Contivity, I can say that without a doubt, Contivity *sucks*. It is in theory an IPSec implementation, but it is a massively mangled one that suffers from endless problems, especially with NAT. Numerous coworkers of mine have had problems with Contivity and a wide variety of routers from various manufacturers. About the only router that seems to work well with Contivity is one running DD-WRT. For some reason, DD-WRT Just Works.

Re:

[bunco]

I succesfully ran Contivity through a PIX for years. Having recently moved to DD-WRT, Contivity works for _most apps_. Unfortunately, interactive data services like SSH seem to be very fragile now. I know it's due to packet loss though I cannot figure out why iptables isn't forwarding the packets. I've watched the counters for the connection and it's in no danger of timing out.

I will agree that Contivity is a finicky pile of poop. Cisco and Checkpoint's clients are far better.

Re:

[im_thatoneguy]

Because what the article fails to mention is VPN clients aren't the only thing broken. Xbox Live and others are also experiencing problems with this new router. It's a systemic problem not an isolated application.

Re:

[datafr0g]

Most IPSec implementations suck when the client either doesn't support UDP Encapsulation or it's not turned on at the client and the concentrator. IPSec by itself doesn't play nicely with NAT - most home routers out there automatically work around this but a number of them have trouble handling IPSec. I believe this has something to do with the protocols that need to be routed. From memory, this is Protocol 50, 51. Not quite sure why this happens but my guess is that the router just can't cope with NAT

Replying to myself - perhaps SPI?

[Andy Dodd]

It may be that in the name of "security from internal malware" (I cannot see any reason for SPI firewalls to exist in NAT routers other than to protect the outside world from internal machines infected with malware, and the behavior of Netgear's SPI implementation confirms this suspicion that SPI is all about protecting the world from you instead of the other way around.), Apple added some sort of SPI firewall to their new routers.

I am not too familiar with other vendor implementations, but I know that Net

Can someone explain...

[Weston O'Reilly]

... what the issue is? When I click the link to the forum post, this is the question:

"I am considering buying this new Airport, but I will need to set up a VPN between it and my work location. Can this device cope with doing that? The old Airport Extreme could not."

This doesn't seem to have anything to do with the summary. The old Airport Extreme could not? The summary says "These issues were not experienced in Apple's earlier Airport Extreme".

Does this mean I can't use my Cisco VPN client to conne

Re:

[wootest]

The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer.

Re:Can someone explain...

[Andy Dodd]

"The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer."

No, the issue is that without this workaround, you can't connect one specific VPN client (Nortel Contivity) to an external VPN server. All of the problem reports except for one are with Nortel Contivity, a VPN client which is notorious for being finicky as far as working with NAT routers. Trust me, we use it where I work and it breaks with a LARGE variety of routers from various manufacturers.

I know nothing about this Checkpoint client, but it is probably similar to Contivity (In theory, an IPSec implementation, but one that is so badly mangled that it won't speak to any other IPSec implementation other than the one it was specifically designed with. That mangling seems to be related to its tendency to not work well with many NAT routers.)

Re:

[wootest]

"The issue seems to be that, without setting your computer as the DMZ in the base station settings, you can't establish a VPN connection with an external VPN server from your computer."

No, the issue is that without this workaround, you can't connect one specific VPN client (Nortel Contivity) to an external VPN server.

That was exactly what I said, unless you can parse that sentence another way. (I probably should have said "you can't establish a VPN connection to an external VPN server" instead of "wit

Re:

[Andy Dodd]

You said that you couldn't establish any sort of a VPN connection (Implying that the router cannot be used for any VPN connectivity), rather than only not being able to establish one with a specific client known for not playing well with NAT routers.

Re:

[valkraider]

Am I going to have to separate you two?

Re:

[Mousit]

I can't speak for the article/summary and where in the world they're mixing their info, but I can say that I use the Cisco VPN client through my Airport Extreme base station (11g, not this new 11n model) without a single issue. I never had to fiddle with anything nor did I ever have any trouble using it.

picky picky picky

[v1]

I realize it's supposed to work with VPN and all, but for a new product release this is a fairly minor issue. It'll certainly be fixed in the next firmware update which we are likely to see later this month. I saw two people post that they returned their airports until apple fixes it. That's sort of like returning your new car because the remote trunk release isn't working properly. Too many people expect perfection even on new products.

I do sympathize with the users that need their VPN to work, but when an issue affects only 2% of the customer base it's unreasonable to expect the manufacturer to scramble their entire tech staff to fix it instantly. Be reasonable and they will fix it in a reasonable amount of time.

Re:Jack

[Farmer Tim]

It's always funny reading the Apple forums - people who know Jack Shit about computers give advice to people who know less and trying to sound all authoritative. ...said the AC in an authoritative voice.

RFC 3948 and NAT Traversal

[calmdude]

Nortel Contivity client has long sucked, and most people use older versions that don't support UDP encapsulation and NAT Traversal. Getting TCP IPsec to work is an issue not just with the Airport, but with many firewalls. Try connecting a Nortel Contivity client from behind a PIX/ASA/IOS CBAC, or Netscreen for that matter (with default settings). Stateful filtering and NAT will break the VPN.

Re:

[bunco]

Wrong.

I've been using Nortel Contivity Client from behind a PIX (subject to interface PAT) for 3 years without any problem.

Re:RFC 3948 and NAT Traversal

[calmdude]

You're using a newer Contivity client, and your organization has enabled NAT-T on their Nortel endpoint.

A lot of larger corporations use the older client -- Contivity 3.x which doesn't support NAT-T, or they choose to not enable NAT-T on the gateway. This is the case with a lot of Fortune 100 companies.

Re:

[bunco]

So if the v5 client I'm running was released in '04, v4 is circa '03 and v3 is the broken client you speak of, how can you claim that the client has "long sucked" ? I'm not a Nortel fanboy or anything but it seems unfair to gripe about the shortcomings of a 4 year old client. v4 and v5 work fine w/ NAT. It doesn't surprise me that the Flintstone's build doesn't.

What _is_ fair is bitching about Apple's product (QA anyone?). Read up... Contivity isn't the only app broken by this gateway.

Re:

[bunco]

Everyone keeps saying that Contivity is notorious for not working w/ firewalls and/or NAT traversal. I've used the client with 3 completely different firewall implementations and have had no problems. What gives?

Based upon the recent press releases from Apple

[goldcd]

This is not a fault in their product, it's your fault for trying to do it.
There may or may not be a fix for it in the next few weeks, but until then, just appreciate the aesthetics of your over-priced hardware.
lots of love,
SteveyJ
xxx

Re:

[icepick72]

While we're pointing out potential hypocrisies of Apple, I always found this funny -- did any developers ever notice in the "Gift Exchange" Apple commercial @ http://www.apple.com/getamac/ads/ [apple.com] PC is really hoping for a C++ GUI Programming manual for XMas, while Mac uses iPhoto software to put together a nice gift easily.

Well ... if you have ever visited the Apple Developer Connection... http://developer.apple.com/ [apple.com] C/C++ seems the language of choice and not many development tools exist except a few provide

Re:

[skinfitz]

You forgot the 'boom!'

Different workaround?

[bunco]

I don't own one of these devices so I cannot test this for sure, but instead of blindly forwarding everything to a "default host" (I presume this is like "DMZ mode" on other routers), has anyone tried forwarding requisite ports?

Most VPN clients encapsulate ESP packets in UDP for NAT traversal. It sounds to me like the router's handling of pseudo-stateful connections (how firewalls handle protocols like UDP in a stateful fashion) is broken. If it were _completely_ broken, DNS queries wouldn't work either.

Re:

[Slashcrap]

I don't own one of these devices so I cannot test this for sure, but instead of blindly forwarding everything to a "default host" (I presume this is like "DMZ mode" on other routers), has anyone tried forwarding requisite ports?

That is very unlikely to help. Generally these problems are caused by a faulty IPSEC Passthrough feature on the router which decides it's going to mangle your packets even when they're encapsulated (encapsulated IPSEC traffic should not require assistance).

Often the only way to disab

openvpn

[93 Escort Wagon]

One of the (many) nice things about openvpn is how it seems to work very well without requiring monkeying around needed on your hardware - you have to add/enable the tun/tap drivers on the client machine, but that's about it. I've been using it for about a year, connecting from my OS X laptop to my linux box at work. I've also, for testing's sake, connected from a Windows box without problems.

Openvpn is quite straightforward to set up, secure, cross-platform, and FREE.

Re:

[lukas84]

I use OpenVPN a lot, but only for site-to-site configurations. For roadwarriors, i recommend PPTP.

Why?

Both OS X and Windows (from 2000) have a native PPTP client. PPTP uses GRE, so it doesn't work with routers that don't support VPN Passthrough, but nearly 99% do. The ease of deployment of PPTP is massive - OpenVPN requires a lot more work, and isn't as nicely integrated into the OS as PPTP on both OS X and Windows.

For the server side, you can create a PPTP server on almost everything. I usually use Linux

Re:

[D'Arque Bishop]

I use OpenVPN a lot, but only for site-to-site configurations. For roadwarriors, i recommend PPTP.

Why?

Both OS X and Windows (from 2000) have a native PPTP client. PPTP uses GRE, so it doesn't work with routers that don't support VPN Passthrough, but nearly 99% do. The ease of deployment of PPTP is massive - OpenVPN requires a lot more work, and isn't as nicely integrated into the OS as PPTP on both OS X and Windows.

Actually, in my experience, setting up a PPTP server was a complete and total pain in the ass

Re:

[lukas84]

Actually, in my experience, setting up a PPTP server was a complete and total pain in the ass. I had tried PoPToP on my Linux server (didn't know of any other solutions at the time, and wasn't going to Windows for my server), but I got frustrated as all hell trying to get it working. Even when I thought I got it working, I could never get the clients to connect properly.

Hmm, i didn't have much problems doing this. For earlier versions of Linux, a kernel patch for MPPE was required, but since then this has been integrated into the Linux kernel. For some time, there was a rather nasty bug in the Linux kernel, preventing MTU detection from working PPTP MTU Problems [projectdream.org] - but this has been resolved since then.

As far as "nicely integrating with the OS", well, if you want an easy OpenVPN client solution, pick up OpenVPN-GUI for Windows or Tunnelblick for OS X. They're GUI frontends for OpenVPN that, once you get the config and key files into the configuration directories, connect/disconnect with a couple of mouse-clicks.

I've looked at these solutions again about half a year ago. At that time, i didn't feel comfortable guiding a sales rep or a person with similar IT know how through the pro

Re:

[D'Arque Bishop]

Hmm, i didn't have much problems doing this. For earlier versions of Linux, a kernel patch for MPPE was required, but since then this has been integrated into the Linux kernel. For some time, there was a rather nasty bug in the Linux kernel, preventing MTU detection from working PPTP MTU Problems - but this has been resolved since then.

I'll grant that it had been a while since I had tried to build PPTP. I had also tried FreeS/WAN, but if anything that was even MORE of a pain in the ass. OpenVPN was a bree

Re:

[perlchild]

I've modded the openvpn gui msi to make it practically idiot-proof. It was not particularly difficult. As for auth, you can use an external perl script to auth over ldap/kerb onto AD. Not "easy" but doable certainly, however. I'd say doing u:pw means you are avoiding some of the best aspect of openvpn, passwordless operation built upon 256bit TLS keys.

Re:

[account_deleted]

Comment removed based on user account deletion

Port Triggering

[thecombatwombat]

OK, first, it doesn't look like anyone from Apple has recommended that everyone using Nortel VPN clients simply set a default host and be done with it. This is a user discussion. Maybe some of those people are Apple employees, but I didn't notice anything telling me that they were. Second, the more appropriate solution would probably a be a port trigger, which the new base station supports. I don't use Nortel VPN, and my Cisco VPN is working fine with my new Extreme, but this thread [computing.net] seems to imply that a simple port trigger fixed the exact same issue for Linksys users. Hopefully that will help.

Re:

[smoker2]

I'm a troll apparently. So which part was not according to regs. (or does Apple stuff not "just work")

Re:

[tm2b]

No.

The great strength of Apple is that when things doesn't "just work," it's considered a bug instead of an industry standard.