Getting Started with Restcomm VPN

Overview

Secure your communications between your infrastructure and Telestax services using IPsec tunnels. With Restcomm Interconnect, we provide the possibility of a secure private and encrypted connection to Restcomm. To do that, we establish a site-to-site VPN connection from your infrastructure to Restcomm BYOC border devices. Currently, we provide VPN enablement only for our SMSC services (SMPP protocol). We are expecting to expand it to more protocols in the near future (such as SIP, RTP, HTTP).

Restcomm VPN Site-To-Site Connectivity

VPN Interconnect Diagram

Required from Our Customers

VPN Gateway

  • On your end, you have a device with IPSec capabilities exposing a public IPv4 to Telestax. This IP will be addressable/routable globally on the internet.

Encryption Domain

  • One or more of your IP networks that will have access to Telestax through the VPN tunnel. Your border devices (e.g. IP-PBX, SIP-PRI IAD, Session Border Controller, NAT gateway, etc.) will reside in those networks.

  • The hosts of your Encryption Domain are all using "public IPs" to communicate with Telestax using the tunnel. This is a key design element to avoid potential private network overlapping issues.

Note that your Encryption Domain (IP routes) have to be globally unique ("public IPs") - as opposed to RFC 1918 address ranges - to avoid conflicts with other networks that the Restcomm platform is peered with. In other words, your IP routes have to be outside of the following ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Firewall

  • This device will manage the flows between your border devices and the Telestax services.

IP Whitelist

  • In order for various Telestax products to function properly, you need to whitelist Telestax' IP addresses on your end.

On Telestax side

A VPN Gateway

  • We will provide you with a pair of public IPs for redundancy and higher availability.

Encryption Domain

  • The Telestax Encryption Domain is using only public IPs for our SMSC service.

VPN Connection

  • Telestax will provision a VPN connection peer in the nearest to your location point of presence.

IPsec Pre-shared Key

  • We will provide you with a pre-shared Key (PSK) for the the IPsec authentification.

Customer VPN Onboarding Process

Please contact your Telestax account manager to start planning the VPN interconnect. The Telestax global support team will guide you through the process of enabling a VPN connection.

We will assist you through the various phases of the process:

Analysis

  • Gather data and check feasibility.

Configuration/creation at Telestax

  • Creation of the network resources needed in the point of presence (PoP) near you

  • Adding the network routes, NAT rules for the customer Encryption Domain IPs

  • Adding a VPN gateway with customer information

Testing

  • VPN connectivity (both directions)

  • ICMP/Telnet

  • SMPP traffic simulations

  • Capacity testing

  • High availability testing

Migration

  • Telestax engineers will be working with your team on the platform and networking issues and verify the VPN is ready for the migration of the traffic to production through the secured connection. Engineers will conduct:

    • Extensive testing

    • Service operation simulations

Configuration

All the details will be shared during the onboarding process:

Encryption Domains

  • Telestax Public IP addresses

  • Customer Public IP addresses

IPsec

  • VPN Device type, VPN public IP address and other details

  • The pre-shared key for the VPN will be sent through a secured channel

Telecom

  • SMPP: address, port, version and credentials

More protocols are planned to be added in the near future.