Connecting to Fonolo via an IPSec VPN

Fonolo supports connecting to companies via a direct site-to-site IPsec VPN. This provides an extra layer of security, and can be configured for customers connecting to Fonolo using either the Cloud-Based SIP option, or via the Fonolo Appliances – you can return the specific information required for your Fonolo deployment using the IPSec VPN Setup Form below:

Fonolo uses a pair of Cisco 5500 series Adaptive Security Appliances, in master-slave failover mode, to ensure high availability.

The default phase1 / phase2 configuration settings are:

  • Fonolo VPN Endpoint:
  • IKEv1 + IPsec
  • Encryption: aes-256 (aes-192 and aes-128 are also supported)
  • Integrity: sha1-hmac
  • DH Group: 5 (Groups 1, 2, 19, 20, 21 are also supported)
  • Phase 1 Lifetime: 86400 seconds
  • Phase 2 Lifetime: 3600 seconds
  • PFS enabled, DH Group 5 (Groups 1, 2, 19, 20, 21 are also supported)
  • Shared secret authentication (pre-negotiated key)

For Cloud-Based SIP, Fonolo will advertise, which covers all six Fonolo SIP gateways. For Appliance customers, Fonolo will advertise


Customers may only advertise public (non-RFC1918) IP space via the VPN. In cases where private subnets are required for media, all endpoints must utilise NAT to a public IP.

Fonolo supports multiple customer VPN endpoints, and will fail over in the event the connection to the primary endpoint fails.

Fonolo can also optionally support IKEv2 VPN connections, but does not currently support multiple endpoints for IKEv2.

Related Articles

Fonolo’s Status Page
Check to see the status of Fonolo's core services. Any incidents that may occur will be reported here.
Check Status