VPN and Airport Extreme (802.11n)

I just got this from Apple support in response to the Nortel VPN issues:

"it has been determined that this is a known issue, which is currently being investigated by engineering. This issue has been filed in our bug database under the original Bug ID# 4918881."

Hello to my fellow Nortel Contivity users...

This is the email I received from Nortel Engineering...

---------------------------------------------------
IPSec does not disturb the original IP header and can be routed as normal IP traffic. Routers and switches in the data path between the communicating hosts simply forward the packets to their destination. However, when there is a firewall or gateway in the data path, IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

•
IP Protocol ID 50:
For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.

•
IP Protocol ID 51:
For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.

•
UDP Port 500:
For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

L2TP/IPSec traffic looks just like IPSec traffic on the wire. The firewall just has to allow IKE (UDP 500) and IPSec ESP formatted packets (IP protocol = 50).
---------------------------------------------------

Sooooo, armed with this techno mumbo jumbo, I went to the ADVANCED / PORT FORWARDING settings and I thought I had properly mapped Ports 50, 51, and 500 to my PC's IP address. Still didn't work. Even if it did, it would be a temporary solution because it only supports one PC but at least it doesn't make you put your PC in the Default Host (DMZ).

Maybe someone with more technical knowledge can make the info here work.

Thanks a lot for posting this.

I've stopped using 802.11n AEBS because I'm not comfortable putting my iMac in the DMZ. At least this gives me hope that a solution should be forthcoming soon.

iMac 24"; MBP 15"; iMac G4 15" Mac OS X (10.4.8) 5G iPod; 1G Nano; 2G Shuffle; 1G Shuffle; 1G Mini; 1G iPod

Apple ... same VPN issues exist with Check Point ... I suspect a common root cause given the wrk around for Nortel. PLEASE!!! Fix ASAP!!!!

I would not be worried about being on the DMZ. Turn on your iMacs firewall, should be fine.

Thanks for the guidance. This works and I can now use my VPN for my work PC. The down side is, only my work PC has internet access when VPN is in use, the new iMac and my old G5 are nixed till Nortel is off.

This will not work for me, switching back to the 2 year old D-Link.

I was having the same problems, this time with CheckPoint VPN-1 SecureClient. I too configured the only machine I need to VPN from in the DMZ and all works like it did with the Airport Express the Extreme replaced, except of course this dodgy configuration bit.

I am having this issue also with Apani. I hope Apple is not taking this problem lightly, this is effecting those of us who use Macs in the workplace - which could be a HUGE market for Apple.

Heck, this affects those who use Macs at home and PCs in the workplace too.

I mean, the VPN failure is on the Airport - not the Mac. Which means it is "broke" for Windows clients as well. So to get a company laptop running Windows to VPN in it has to be in the DMZ as well...

But it is a recognized problem, that there should be a forthcoming fix for.

Remember, Apple does not read these forums - so if you want to tell them something, use Feedback or if you are an ADC member you can file a bug report.

This is exactly the case. I called tech support and filed a case. The official response from Apple's Engineering Dept was "we are aware of multiple reports about this issue and are/will probably issue and update in the form of firmware or regular software update" They were very careful not to "admit" there is a problem, but they sure do know about it.

A solution that will actually work without doing the DMZ workaround -which is what I am doing- is I kept my old AEBSg running, and set the AEBSn in bridge mode, running a separate Wireless network. Just plug the WAN port of the N into the only LAN port of the old AEBS. The VPN works this way without having to use the DMZ solution, and allows me to keep a separate g and n networks without compromising on speed. The macs use the n and the XP laptops use the g and connect via VPN.

iMac Intel Mac OS X (10.4.4) Linksys WRT54G

iMac Intel Mac OS X (10.4.4) Linksys WRT54G

I have read through this thread and am utterly confused. I have just bought the new airport extreme and set it up. Unfortunatley I have to use windoze at work so I use Parallels, which works great. The company uses Checkpoint VPN, but only on Windows platform. I am able to connect to the company VPN from various coffee shops etc, but not from through my brand new airport extreme. I get a message telling me that I have been authenticated by something called radius, but my machine is then unable to connect to any shares.

I have 15 days to return my new airport, will I have to or is there a method to make this work (that I can understand)?

Many thanks

MacBook Pro 2GB and a venerable Cube Mac OS X (10.4.8)

Jerry,

What you have to do to get CheckPoint VPN, and most other VPNs, to work (for now) is put the machine you are going to VPN from that is behind the Airport Extreme in the DMZ, so it isn't firewalled by the AirPort Extreme. To do this, open the new AirPort Utility that you should have installed off the disc that came with the AirPort Extreme Base Station, select the AirPort Extreme Base Station on the left, then go to the Base Station menu, Manual Setup. Click on the Internet icon on top, then the NAT tab, and finally select Enable default host at: and enter the IP address from your machine. If you are using DHCP, which of course you most likely are, you can get the current IP address of your machine through the Network System Preference, and configure this on the AirPort Extreme Base Station. This is in Internet as well, on the DHCP tab. There is a section called DHCP Reservations.

Hope this points you in the right direction.

-Dave

Thanks for the suggestion. Unfortunately I have two
separate machines that I need to be able to connect
via VPN, so the workaround does not help me in this
case. I called Apple and they asked me if my VPN
clinet was IP sec or PPT protocol (it is IPsec) but
after chatting with the tech rep it is obvious this
is a problem tha Apple needs to fix PRONTO!

In the meanwhile, I have set up my old Airport
Extreme as the main base, and slaved the N via
ethernet, giving me two separate Wireless Networks. I
am using the Old Extreme for the VPN connections, and
the new N for the Macs. I expect Apple to fix this
soon, because it makes no sense to "have to have" two
routers.

Regards,

I have a workaround which may address your problem. I moved from a Netgear g router to the new AirPort Extreme N. I wanted to continue to use the N functionality for my LAN (OK, I only have one G device at the moment, but am waiting eagerly for iTV), but need to connect multiple Nortel VPN connections as well.

I hooked the WAN on the basestation up to one of the LAN ports on the Netgear router, which is still connected to the internet. In the basestation configuration, under the internet tab, I set the Connection Sharing to Bridge Mode.

I now have two Nortel VPN clients connected at once (essentially using the Netgear's addressing). I've been on for a total of about 5 minutes now, and using two routers seems like a silly solution, but it seems to work.

I'm also not sure whether this means that all LAN traffic is going through both routers (wired between AEX and the netgear), and what the LAN speed implications of that would be.

Not a solution, but could keep people from having to expose their computer in a VPN, and also let people use multiple connections on the AEX-n without needing to switch networks.


Hope this helps.



Macbook, iMac, Mini etc... Mac OS X (10.4.8)

I have the exact setup and mine works too without having to use the DMZ workaround. Use the G router for VPN and the N for the Macs. YOu may actually notice that when you do that, curiously the N router will allow the VPN to work, however you have to keep the G router for it to work. Go figure!

I've tried the fixes listed here to no avail. Nortel VPN again. Enabled default host, set the IP address into the PC Laptop, gateways etc... no luck. This is a deal breaker, I can't do my work.

Note to Apple, please fix this NOW or you are getting your new Airport back.