How to configure base station for VPN access?

[jbaugh]

I access my company's sites via a VPN client on my computer that is on my small LAN at home. This consists of a cable internet access connected to a new Apple Extreme AirPort base station which is shared by two wirless Macs and a Windows XP machine.
I can easily connect with the VPN software when the connecting computer is directly connected to the cable modem (i.e. bypassing the Airport base station). I can do this both with my main Mac or with the Windows machine. But I cannot connect with the VPN software from either computer if the computers are connected to the cable modem via the Airport base station. Can someone give me some help on what I need to do? It is a royal pain to have to reconfigure my system every time I need to access via VPN.
John

[aogail]

I believe you need to forward the VPN port to whichever computer will be accessing the VPN. The port # is completely arbitrary -- if you don't know it, you may have to ask a sysadmin from work.

You can change port forwarding in the AirPort Admin Utility.

[hschickel]

Specifically - for IPSec to work - you need to open port 500 (UDP) and allow protocols 50 and 51 to pass through the firewall. I'm not sure how to do this with the AEBS - I'm trying to work it out right now.

I fear that the only way this will work is with ethernet bridging to a higher end routing device.

Hugh

[jbaugh]

Quote: Originally posted by hschickel I fear that the only way this will work is with ethernet bridging to a higher end routing device.

Hugh,
I'm afraid you are correct. VPN, at least with the Nortel Contivity software, will not work if it is routed through the AEBS, whether the AEBS is set to routing or bridging mode. I know from extensive experience and from reasearch at Apple's Tech support discussion forum.
Because of this problem, I just bought a Netgear router RP614 at Staples for $49 after a $20 mail in rebate. My VPN works flawlessly as long as I route my computer through the router by Ethernet and bypass the AEBS. It will not work if the AEBS is involved in the data transmission.
This is not a problem for me since I now do my VPN work via my Windows XP machine which does not have wireless capability. But I am frustrated that I still cannot connect with my machintosh version of Nortel VPN software unless I have a hard wired connection either to the router or to the cable modem itself. I have lost the abillity to connect by VPN with my PowerBook in wireless mode!

The Netgear router, by the way, is a top notch item. I am very happy with it. Much more router functionality than the AirPort base station ever dreams of.
I was able to do a lot of configuring through the web based set up. Very easy and very nice.
Let us all know if you come up with a solution using AEBS that has evaded some many of us.
John

[hschickel]

Quote: I'm afraid you are correct. VPN, at least with the Nortel Contivity software, will not work if it is routed through the AEBS, whether the AEBS is set to routing or bridging mode.

This worries me - Apple's NAT implementation is supposed to allow IPSec VPN passthrough. That it does not work in bridging mode is even more worriesome. I was going to add a real router to this subnet and bridge the base to that.

Have you specifically tried bridging your AEBS to the Netgear after getting the vpn set up trhough the netgear?

Hugh

[mule]

Quote: Originally posted by hschickel This worries me - Apple's NAT implementation is supposed to allow IPSec VPN passthrough.

Just a little note. AH+ESP will _never_ work when you are using NAT. NAT tampers with your IP Header data and thus AH will complain. Cisco is working on a solution which will be available late second quarter this year. It is a proprietary extension to the protocol itself. You can do VPN via NAT, just not with AH enabled.

[hschickel]

Quote: Just a little note. AH+ESP will _never_ work when you are using NAT. NAT tampers with your IP Header data and thus AH will complain.

This is quite true. I'm assuming this is not the issue though - as the user above is successful through his netgear. This is definitely not my issue as I'm using only ESP.

I'm going to have another go at this tonight. I think I have a solution. I'll post back if it works.

Hugh

[jbaugh]

Quote: Originally posted by hschickel Have you specifically tried bridging your AEBS to the Netgear after getting the vpn set up trhough the netgear? Hugh

Yes.

I have my cable modem connected to the WAN port on the Netgear router. My AEBS is set to bridging mode and is connected to one of the Ethernet ports on the Netgear via the LAN port of the AEBS. My Windows XP machine is connected to another Ethernet port on the Netgear router. I can file share both ways between my wireless Mac and the wired XP machine, share internet access between the two machines and even print to the Epson USB printer connected to the Mac from the XP machine. I can easily connect to my corporation's sites with Nortel Contivity client for Windows from the XP machine. But no connection occurs when I try to connect from my wireless Mac using the Mac VPN client under OS X. I haven't recently tried to see if I could connect from the Mac under OS 9.2.2. I would certainly like to hear from you if you figure out how to work around this apparent limitation of the AEBS.
John

[hschickel]

Quote: My AEBS is set to bridging mode and is connected to one of the Ethernet ports on the Netgear via the LAN port of the AEBS.

To get bridging to work I believe you need to do the following:

1. Plug the WAN port of the AEBS to a LAN port on your router using a crossover cable or uplink switch.

2. Open the airport utility and click the "Show All Settings" button. Then uncheck the "Distribute IP addresses" box.

3. Be sure your AEBS clients have IP addresses. They should be assigned via DHCP from the netgear or statically in the same subnet as the netgear.

Please let me know how this works. As noted above - I'd like to get my own setup running this evening or this weekend.

Hugh

EDIT - note: the crossover cable or uplink switch is very important. The AEBS WAN port will not auto-negotiate this!!!

[jbaugh]

I'll try your suggestions on hook up when I get home. I'm on call tonight and won't get home until late tomorrow morning.
The way I currently have the connections set up seems to work for everything except wireless VPN access. But if your suggested method works, that will be fine with me. Thanks for your interest. I'll get back.
John

[jbaugh]

Hugh,
I rewired my network to conform to your suggestions. I used a crossover cable to connect the AEBS from the WAN port (instead of the LAN port) to one of the Netgear's Ethernet ports. My AEBS is configured in the bridging mode (Distribute IP addresses is unchecked).
Each of my client machines has an IP address provided by DHCP from the Netgear router.

The results?
Exactly the same behavior as when I was connected via the LAN port of the AEBS via a patch cable. I still can't get the VPN client to connect whenever the AEBS is involved.
If you check at the Apple Support Discussion site you will find a long series of discussions about this same problem
http://discussions.info.apple.com/We...Sw.4@.3bc27541

You may prove me wrong. But I don't think it can be done.
John