Connecting to Fonolo using an IPSec VPN

Fonolo supports connections using a direct site-to-site IPsec VPN. This provides an extra layer of security and can be configured for customers connecting to Fonolo using either the cloud-based SIP option, or through Fonolo appliances. To provide the information we need to set up an IPSec VPN for you, fill out the IPSec VPN Setup Form:

Important!

Only advertise public (non-RFC1918) IP space using the VPN. In cases where private subnets are required for media, all endpoints must use NAT to a public IP.

IPSec Configuration

Fonolo uses two Cisco Catalyst 8000 Series Edge nodes, in master-master mode for increased redundancy, using the endpoint IP addresses 64.190.42.1 (VPN1 – default primary) and 64.190.42.2.

Fonolo can support the following encryption and hashing algorithms:

  • IKEv1
    AttributeSetting
    EncryptionAES-256
    HashingSHA-256, SHA-384, SHA-512
    DH Groups5, 14, 15, 16, 19, 20, 21, 24
    PFS Groups5, 14, 15, 19, 20, 21, 24
  • IKEv2 (preferred)
    AttributeSetting
    EncryptionAES-256
    HashingSHA-256, SHA-384, SHA-512
    DH Groups14, 15, 16, 19, 20, 21, 24
    PFS Groups14, 15, 19, 20, 21, 24
    PRFSHA-256, SHA-384, SHA-512

Fonolo’s default Phase 1/Phase 2 Lifetime configuration is set to 86400 seconds and 3600 seconds, respectively. This can be adjusted to meet your requirements.

Fonolo only supports Pre-Shared Key authentication for security.

Routing Configuration

For SIP Connect deployments, Fonolo uses 64.190.42.32/28 for the various SIP peers. For Appliance deployments, Fonolo uses 64.190.42.128/25 for the various cloud infrastructure required for the service.

Fonolo supports multiple different routing configurations for IPSec connectivity:

(Preferred) Route/Tunnel-Based VPN with VTIs and BGP Routing

  • Fonolo assigns a /30 subnet per VTI for BGP peering in the link-local 169.254.64.0/18 range. The first usable IP is assigned to the customer side of the VTI, with the second usable IP assigned to the Fonolo side.
  • Fonolo’s public ASN is 63350. Your ASN can be either public or private. If you prefer private, your ASN must be agreed upon with Fonolo before configuration.
  • Fonolo supports either point-to-multipoint (single customer node) or multipoint-to-multipoint (multiple customer nodes) in this configuration.
  • Fonolo controls route preference through advertisement of an increased BGP MED attribute.
  • This configuration provides the best redundancy and failover time.

Route/Tunnel-Based VPN with VTIs and Static Routing

  • Fonolo assigns a /30 subnet per VTI for static route source/destination in the link-local 169.254.64.0/18 range. The first usable IP is assigned to the customer side of the VTI, with the second usable IP assigned to the Fonolo side.
  • Fonolo weights route traffic to prefer the VPN1 endpoint 64.190.42.1. You must align your configuration to prefer this endpoint to prevent asymmetric routing.

Policy-Based VPN

  • Fonolo supports either point-to-multipoint (single customer node) or multipoint-to-multipoint configuration (multiple customer nodes) in this configuration.
  • We strongly recommend that both VPN endpoints are configured in both scenarios for redundancy.
  • Tunnel connectivity is established by customer-side traffic only, meaning that SIP OPTIONS must be configured for a SIP Connect deployment. Fonolo Appliance deployments send regular keepalive pings to the Fonolo infrastructure to maintain tunnel connectivity.

 

 

Related Articles

Fonolo’s Status Page
Check to see the status of Fonolo's core services. Any incidents that may occur will be reported here.
Check Status