Connecting to Fonolo via an IPSec VPN

Fonolo supports connecting to companies via a direct site-to-site IPsec VPN. This provides an extra layer of security, and can be configured for customers connecting to Fonolo using either the Cloud-Based SIP option, or via the Fonolo Appliances.

Fonolo uses a pair of Cisco 5500 series Adaptive Security Appliances, in master-slave failover mode, to ensure high availability.

The default phase1 / phase2 configuration settings are:

  • Fonolo VPN Endpoint: 72.15.59.157
  • IKEv1 + IPsec
  • Encryption: aes-256 (aes-192 and aes-128 are also supported)
  • Integrity: sha1-hmac
  • DH Group: 5 (Groups 1, 2, 19, 20, 21 are also supported)
  • Phase 1 Lifetime: 86400 seconds
  • Phase 2 Lifetime: 3600 seconds
  • PFS enabled, DH Group 5 (Groups 1, 2, 19, 20, 21 are also supported)
  • Shared secret authentication (pre-negotiated key)

For Cloud-Based SIP, Fonolo will advertise 66.207.221.160/29, which covers all six Fonolo SIP gateways. For Appliance customers, Fonolo will advertise 66.207.221.128/26.

Customers may advertise private (RFC 1918) IP space via the VPN, provided that IP space does not conflict with Fonolo, or another Fonolo customer, otherwise NAT may be required at the customer side to avoid conflicting IP space.

Fonolo supports multiple customer VPN endpoints, and will fail over in the event the connection to the primary endpoint fails.

Fonolo can also optionally support IKEv2 VPN connections, but does not currently support multiple endpoints for IKEv2.

Related Articles