Fonolo supports connections using a direct site-to-site IPsec VPN. This provides an extra layer of security and can be configured for customers connecting to Fonolo using either the cloud-based SIP option, or through Fonolo appliances. To provide the information we need to set up an IPSec VPN for you, fill out the IPSec VPN Setup Form:
IPSec VPN Setup Form - Updated Infrastructure
IPSec Configuration
Fonolo uses two Cisco Catalyst 8000 Series Edge nodes, in master-master mode for increased redundancy, using the endpoint IP addresses 64.190.42.1 (VPN1 – default primary) and 64.190.42.2.
Fonolo can support the following encryption and hashing algorithms:
- IKEv1
Attribute Setting Encryption AES-256 Hashing SHA-256, SHA-384, SHA-512 DH Groups 5, 14, 15, 16, 19, 20, 21, 24 PFS Groups 5, 14, 15, 19, 20, 21, 24 - IKEv2 (preferred)
Attribute Setting Encryption AES-256 Hashing SHA-256, SHA-384, SHA-512 DH Groups 14, 15, 16, 19, 20, 21, 24 PFS Groups 14, 15, 19, 20, 21, 24 PRF SHA-256, SHA-384, SHA-512
Fonolo’s default Phase 1/Phase 2 Lifetime configuration is set to 86400 seconds and 3600 seconds, respectively. This can be adjusted to meet your requirements.
Routing Configuration
For SIP Connect deployments, Fonolo uses 64.190.42.32/28 for the various SIP peers. For Appliance deployments, Fonolo uses 64.190.42.128/25 for the various cloud infrastructure required for the service.
Fonolo supports multiple different routing configurations for IPSec connectivity:
(Preferred) Route/Tunnel-Based VPN with VTIs and BGP Routing
- Fonolo assigns a /30 subnet per VTI for BGP peering in the link-local 169.254.64.0/18 range. The first usable IP is assigned to the customer side of the VTI, with the second usable IP assigned to the Fonolo side.
- Fonolo’s public ASN is 63350. Your ASN can be either public or private. If you prefer private, your ASN must be agreed upon with Fonolo before configuration.
- Fonolo supports either point-to-multipoint (single customer node) or multipoint-to-multipoint (multiple customer nodes) in this configuration.
- Fonolo controls route preference through advertisement of an increased BGP MED attribute.
- This configuration provides the best redundancy and failover time.
Route/Tunnel-Based VPN with VTIs and Static Routing
- Fonolo assigns a /30 subnet per VTI for static route source/destination in the link-local 169.254.64.0/18 range. The first usable IP is assigned to the customer side of the VTI, with the second usable IP assigned to the Fonolo side.
- Fonolo weights route traffic to prefer the VPN1 endpoint 64.190.42.1. You must align your configuration to prefer this endpoint to prevent asymmetric routing.
Policy-Based VPN
- Fonolo supports either point-to-multipoint (single customer node) or multipoint-to-multipoint configuration (multiple customer nodes) in this configuration.
- We strongly recommend that both VPN endpoints are configured in both scenarios for redundancy.
- Tunnel connectivity is established by customer-side traffic only, meaning that SIP OPTIONS must be configured for a SIP Connect deployment. Fonolo Appliance deployments send regular keepalive pings to the Fonolo infrastructure to maintain tunnel connectivity.