vicidial.org

[johnt]

I wanted to see if anyone had try to run SIP/RTP over a VPN connection using an ASA security appliance. I'm sure it is technically possible, but my concern is performance and quality. I am looking at running 20 or so remote agents, ie they would be on the public internet. I would like to securely connect them to the VICI Dialer and was thinking about doing it over a Cisco AnyConnect VPN or I could use the traditional IPSEC, but would prefer AnyConnect because of its simplicity. Anyone ever tried this before with success? Thanks!

[williamconley]

This would be a question for The Vicidial Group directly. I believe they have built these systems. However: We have found our best setup to be whitelist IP address configuration instead of VPN. VPN creates a bit of a bottleneck and while it is viable, it must be Enterprise level to allow the necessary throughput speed with no loss or jitter. Whereas IP whitelisting (properly done) requires none of this and has zero footprint on quality. As soon as a link is ESTABLISHED, the system considers it authorized and stops checking it. So far, we've had no hacks (except social) with this system. And a social hack will get past VPN very easily just like whitelisting. LOL

I do know it is entirely possible to run a massive facility over VPN, but this requires a hardware based VPN solution with dedicated networking (still public, but excellent quality bandwidth). This generally results in proprietary hardware and a fair amount of money.

BUT: If you do try it, please post your results. If it works it is certainly worth hearing about.

[johnt]

Hi William, thanks for the response. I'll check in with VICI Group. I think I am certainly going to give it a try. The reason I am doing it is more from a PCI DSS compliance stand point that in a nutshell says that all VOIP traffic over a open/public network must be encrypted. If you have any better ideas to get around this I would love to hear it.

[williamconley]

If you are in that boat, honestly, it is a waste of time to do anything other than Call Vicidial Group. Not that we couldn't handle it ... but this is a networking hardware issue and something they have dealt with in the past.

Whoever you do use, though, be VERY sure they have done this with Asterisk in the pipeline with hundreds of active channels. It REALLLLLLY makes a difference. LOL (the word "nightmare" comes to mind, but not until after you hit Full Power in the pipeline ...)