Does SCN require a VPN? 9

[raist3001]

Hello all, I am new to Small community networking. I have been searching the net for information on installation and configuration.

Does SCN require a VPN between locations? I have public IP's for both locations. Can I use this information to communicate between IP Offices?

What I see in my license menu is:
IP500 VNC 4

I have seen the following posted here in these forums:

Create an IP line and set it to SCN. [highlight #FCE94F](IS THIS A NEW H323 LINE?)[/highlight]
Give it a unique line id
Set the number of channels that the trunk must have.
This cannot be more then VCM channels and you need to be sure you have enough bandwidth.
Skip the shortcodes field because mostly you do not need them there.
Go to voip settings and set the IP address of the remote IPO
Set the right codec and set IPOffice SCN
Be sure that direct media path is turned on.

Then build an iproute
Basic is:

0.0.0.0
0.0.0.0
gateway IP address

You could create a more specific route.

Do the same on the other IPO.

 

[Gunnaro]

Oh, and you do have VCM card fitted on both systems?

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

I have 2 D-Link DSR 250's.
Yes, VCM cards installed on both systems.


I can change the IP route in the IPO to the following?
IP address: 192.168.10.0 (remote Subnet)
IP Mask: 255.255.255.0
Gateway IP Address: IP of local FW

IP address: 192.168.20.0 (remote subnet)
IP Mask: 255.255.255.0
Gateway IP Address: IP of local firewall

Firewall:
Custom services created for Ports 49152-53247/UDP

Firewall rules Created:
From Zone: WAN
To Zone: LAN
Service: Custom Service created above
Action: Always Allow
Source Hosts: Any
Internal IP: IP of local IPO

 

[raist3001]

I also have an error in my System Status for both units:

There is a conflict with Small Community Network dial plan numbers received from 192.168.20.10

There is a conflict with Small Community Network dial plan numbers received from 192.168.10.10

 

[derfloh]

You should solve these issues first.

You can find them in SSA under ressource\directory ordered by extension numbers. You will see what numbers are created in both systems.

I would think of some kind of ALG, H323 helper, H323 Fixup or something like that in one or both firewalls.

 

[raist3001]

There aren't any conflicting extensions that I can see.

One side has 300 series extensions and the other has 400 series extensions.

In SSA under resource\directory I can click on conflicts and it shows me which extensions are conflicting, But I can not find these extension on either of the remote units.

All ALG's are off on both firewalls.

 

[Gunnaro]

Ohhh... you got conflicts, so clean up the configs.

And by the looks of it, you picked the biggest cannon of them all and blew a hole in your firewall(s).
By making that custom rule, everyone can access port 49152-53247/UDP. That's an exceptionally bad idea!
("Source Hosts: Any" is not the other side of a VPN tunnel, but anything on the Internet, and your 0.0.0.0 routes makes it even worse)

On your firewalls:

Advanced> Firewall settings> ALGS> Uncheck H323 and SIP
+
Advanced> Firewall settings> VPN Passthrough> Check all three of them

You can read more about it from page 77 and on in this manual:

http://www.dlink.com/-/media/Business_Products/DSR/DSR 250/Manual/DSR_250_Manual_104_EN_CA.pdf

You will find this on page 78:

"A specific firewall rule or service is not appropriate to introduce this passthrough support"



Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[amriddle01]

Derfloh, to make the new SCN work you need more than 1 port open, you also need the RTP ports

 

[derfloh]

Am riffle did I mention that?

 

[Gunnaro]

Yeah, in your first post in this thread

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

Thanks for the suggestion guys.

My firewall is wide open at the moment to make sure the SCN is working. Once I know it is working I can begin to lock down my firewalls. Even at wide open, I have no audio.

There are no EXT conflicts that I can find regardless of what Status is showing. There are no duplicate 300 or 400 series extensions on the respective opposite sides.

My firewall is set to allow all VPN passthrus, and all ALG items are off.

Since the SCN tunnel is up according to Monitor and status, I have to believe I have a firewall issue. I just don't see it...yet.

 

[raist3001]

OK, I found the conflicting errors and have resolved them.
Still no audio. Phones on the other end ring, just no audio.

The DSR-250's do not block any locally created traffic on the LAN thru the VPN tunnel. I have confirmed this with D-LINK Technicians and a few Network admins. Usually internal traffic is never blocked on a firewall.

Could any Firewall profiles on the IPO units be giving me the headache?

 

[raist3001]

For Voicemail type, does SCN require VoicemailPro?
Currently customer has Embedded voicemail. Can I use embedded voicemail? Right now their voicemail is down.
Do I need to change Supplementary Services to H450?

 

[Gunnaro]

For SCN you need Preferred edition (VMPro).
Don't you see the red alarm and warning about this on every config save you've done?

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[raist3001]

There has been no warning in regards to voicemail type being set to VMPro. There wouldn't be since it was set to VMPro. Now that I have changed to embedded VM, I have the error message.
Now I am being told to change Supplementary services to H450, which solves the VM error messages.

Still no audio.
VPN is wide open. Nothing is being blocked.

 

[raist3001]

I found the problem.
Although my tunnel is wide open, and does not restrict any local LAN traffic, the IPSEC policy did have an option to allow NAT Traversal. I turned this off on both Firewalls, and Audio was restored.

I wish to thank everyone who shared some time with me in hopes of helping me to resolve this issue. I am very grateful.

Thank you,

Tony

 

[Gunnaro]

Excellent!

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam