Fonolo supports connecting to companies via a direct site-to-site IPsec VPN. This provides an extra layer of security, and can be configured for customers connecting to Fonolo using either the Cloud-Based SIP option, or via the Fonolo Appliances – you can return the specific information required for your Fonolo deployment using the IPSec VPN Setup Form below:
Fonolo uses a pair of Cisco 5500 series Adaptive Security Appliances, in master-slave failover mode, to ensure high availability.
The default phase1 / phase2 configuration settings are:
- Fonolo VPN Endpoint: 220.127.116.11
- IKEv1 + IPsec
- Encryption: aes-256 (aes-192 and aes-128 are also supported)
- Integrity: sha1-hmac
- DH Group: 5 (Groups 1, 2, 19, 20, 21 are also supported)
- Phase 1 Lifetime: 86400 seconds
- Phase 2 Lifetime: 3600 seconds
- PFS enabled, DH Group 5 (Groups 1, 2, 19, 20, 21 are also supported)
- Shared secret authentication (pre-negotiated key)
For Cloud-Based SIP, Fonolo will advertise 18.104.22.168/29, which covers all six Fonolo SIP gateways. For Appliance customers, Fonolo will advertise 22.214.171.124/26.
Fonolo supports multiple customer VPN endpoints, and will fail over in the event the connection to the primary endpoint fails.
Fonolo can also optionally support IKEv2 VPN connections, but does not currently support multiple endpoints for IKEv2.