Implementation of IPsec VPN with SIP Softphones using
GNS3
Amirisetti Sushma
Asian Institute of Technology,Thailand
12-13-691/9/2,Tarnaka, Hyderabad
0928469157, +918977557055
vickysweety275@gmail.com
ABSTRACT
Over the past decades, Session Initiation Protocol (SIP) has
achieved much attention regarding Voice over IP services(VOIP)
when comparing with various protocols like H.323 or MGCP. SIP
is the special protocol for present and future IP telephony services
which is turning as real challenger for traditional telephony
services. Due to its open architecture, the available services are
vulnerable to various kinds of security threats like presently live
on the Internet. Hence, there is a need to provide security to SIP
based VOIP implementations, especially, a remotely secure
communication using Virtual Private Networks (VPN). In this
paper, we discuss about site-to-site IPsec VPN which
communicate in the intra-nets. The implementation of IPsec VPN
is done with security protocols for exchanging key management,
authentication and integrity using Graphical Network Simulator 3
(GNS3). The encryption of data packets when information is
transferred between different sites is tested and verified using
tools like Ping, IPerf and Wireshark. The performance in terms of
delay, bandwidth consumption, jitter and the data rate of the
proposed method with and without Firewalls is analyzed. It is
obvious that our proposed method can provide the security and
prohibit the attackers to attack the network.
CCS Concepts
• Security and privacy➝Cryptography • Computing
methodologies➝Simulation support systems➝Simulation
tools..
Keywords
Session Initiation Protocol (SIP), IPsec, Tunneling, VPN,
Network Address Translator(NAT), VOIP
1. INTRODUCTION
Nowadays, the privacy is an issue with increasing importance in
communication network for users. For instance, the Apple
company has put great effort to secure the privacy of their
believed customers after the demand from FBI to settle a suspect's
phone to access its data. The main issue is that the underlying
principle of a government has demanded a company to decrease
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for
components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission
and/or a fee.
Request permissions from Permissions@acm.org.
ICNCC 2018, December 14–16, 2018, Taipei City, Taiwan
© 2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-6553-6/18/12…$15.00
DOI: http://dx.doi.org/ 10.1145/3301326.3301333
152
Teerapat Sanguankotchakorn
Asian Institute of Technology, Thailand
P.O.Box 4, Klong Luang,
Pathumthani, Thailand 121200
teerapat@ait.ac.th
the product’s security. It would violate upon their company and
moreover affect many users. Many discussions has been
continued because of this issue and users are aware of their
privacy and how it is secured. Successfully some services like
Whats-App have increased end-to-end security through encryption.
Privacy is mostly related to personal data and private
communications. As bandwidth requirement has increased and
mobile networks has been widely spreading, our communications
have moved greatly from fixed line telephony or Internet
networks. Presently, VoIP (Voice over Internet Protocol) is slowly
replacing our telephony requirements. Similarly, the email has
greatly dominated our message transfer needs. From last few
years, VOIP traffic mostly has gone through traditional IP
networks. SIP with peer-to-peer communication was started after
many research activities [2, 3].
Today, many mobile networks provide enough bandwidth to
support a VoIP connection, but they may be unreliable,
originating problems in the communication. These problems
namely, delay and jitter in the network, immediately degrade the
quality of the conversation mostly, lowering the VOIP call than a
standard call. VoIP and all other traffics that use the secure tunnel
are protected by using VPN. If it is feasible, this can give an
intrinsic solution. The main objective of this paper is to
implement a SIP enabled IP secure VPN tunnel which can provide
greater security to our network which was built using Cisco
routers. Then, the network connectivity with and without firewall
access control lists in Site-to-Site IPsec VPN tunnel is compared
to each other using GNS3. The connectivity between Cisco
routers at two different sites is verified using Ping tool. Next, we
establish IPsec VPN tunnel and initiate calls from one site to
another using SIP softphones connected to Asterisk server. We
use Cisco router and Security Device Manager (SDM) software to
implement the access control policies on both of the
eavesdropping, session tear down, stress-examining with
malformed messages data gathering, signalling and session
hijacking. By observing the efficiencies of the targeted devices to
overcome and recover after the attack, the conclusions were
drawn. As we know that day-by-day, new Denial of Service (DoS)
attacks have been developing. Hence, the security threats in VoIP
systems become necessary and underlying concern for people in
charge of security in a correlated network. The business
endlessness of an organization, regarding confidentiality,
availability, and integrity of services, causing frequent losses of
both information and money are affected. The main objective of
connected/configured interfaces of the router in order to make our
network highly secured.
2. RELATED WORK
Different VPN tunneling protocol performances are analysed in
[1]. In [1],the performance metrics such as throughput, round trip
time, jitter and other security parameters of VPN tunnelling
protocols namely GRE, IPsec, PPTP and L2TP with IPsec are
main focuses. In [2], they analysed the mechanism of VOIP
system and the segments of SIP namely SIP User Agent and SIP
network server. The inefficiency of SIP security mechanism was
finally pointed out. SIP based VoIP is very useful to assure the
security of SIP-based VoIP system. A brief idea to the motivation
for P2P-SIP and the needs for building up its structure is given in
[3]. Then, two design choices of P2P-SIP architectures are
introduced based on the present level. The data about site-to-site
IPsec-VPN which connects the company intranets is provided in
[4]. The IPsec VPN network with security protocols for key
exchange and management, integrity and authentication is
implemented using GNS3. In [5], they collate the research using
Gateways, Gatekeeper, H.323 Cisco and several H.323 software
clients on a virtual emulated VoIP architecture. The security
evaluation was tested. The important points in [5] include [6] is to
establish the basic measures to reduce DoS problems, based on
the SIP which is possible in VOIP systems. In [6], a secure model
known as MS-DOS-SIP which consists of two approaches is
proposed. Firstly, it analyses the proposals of international
security standards. Secondly, it approaches the account weakness
and threats. It is shown that 92% of present vulnerabilities were
minimized to allow the implementation of this idea in a VOIP
system and the availability period of the VOIP service within an
organization was increased.
3. PROPOSED METHOD AND SYSTEM
DESIGN
Firstly, the scenario of Site-to-Site VPN IPsec tunnelling is
explained in detail. We use the inbuilt Firewall/IPS and IPsec
features of Cisco C7200 series routers for our implementation. All
the inbound traffics to two routers are observed and the trusted
interfaces are allowed to connect. In this work, the encryption
parameters are configured on router R1 for IPsec tunnel as shown
in the network diagram of figure 1 to create an IPsec VPN tunnel
153
between the two sites. The Cisco routers and Cisco SDM open
software are used in this simulation to equip the access control
policies and ID (Intrusion Prevention System) on the router. All
traffics received by the router’s interface are observed to allow
only the IPsec secure tunnel data. The other traffic will be
dropped. The process that takes place during site-to-site
communication over an IPsec VPN site-to-site tunnel is
summarized as follows:
1. Configuring the desired topology with routers, Ethernet
switch, cloud etc.The Site-A heading with router R2,
has two interfaces f2/0 and f0/0. The interface f0/0 and
f2/0 are configured with the IP addresses 1.1.1.2(outside)
and 172.16.10.1(inside), respectively. Similarly, the
Site-B heading with router R3, has two interfaces f2/0
and f0/0. The interface f0/0 and f2/0 are configured with
the IP addresses 2.2.2.2(outside) and
192.168.10.1(inside) respectively.
2. Installing Asterisk PBX software in Linux system and
configuring the softphones with IP addresses. The
Asterisk server acts as a server for all the SIP
softphones clients in both the sites.
3. Configuring IPsec VPN tunnel between Router R2
(outside) and R3 (outside) with access list policies and
Crypto ISAKMP and IPsec commands.
4. After establishing tunnel between R2-R3, the
connection between two different sites can be verified
using Ping tool.
5. Now when Site-A SIP soft phone client 1 starts calling
Site-B SIP soft phone client 2, the session is established
between two sites.
6. Installing Cisco Security manager software on R1 and
R2 and configuring access list rules and IPS.
 other data will be refused to achieve the maximum reachable
security level.

4. RESULTS & DISCUSSION

a) Performance of the Network with and
without Firewall when Attack takes
place
i. Case 1: Without Firewall
Delay: By using PING tool, graphical representation of delay
versus time is measured.

Figure 2. Step-by-Step Procedure of our Figure 3. Delay vs Time of the Network without Firewall.
Proposed Method.
Bandwidth and Jitter: For analyzing Bandwidth, IPerf
software is used where we can specify the IP address as client or
a) Establishing tunnel between R2 and server, initiate the packets from client to server and measure
R3 & call between two SIP softphones bandwidth and jitter. As shown in figure 4, 5 and 6, these are the
Configuring Routers with crypto ISAKMP and IPsec policies with console results when an unknown attacker acts as client and initiates some
application in GNS3 .When Site-A acts as a session initiator, the call is packets transmission for 100 seconds. The result of bandwidth is
initiated by clients of Site-A and is accepted by clients in Site-B before measured every 1 second, while the jitter is shown in average.
establishing firewall

b) IPsec and Firewall Implementation

Configuring Routers with crypto ISAKMP and IPsec policies with
console application in GNS3 .When Site-A acts as a session
initiator, the call is initiated by clients of Site-A and is accepted
by clients in Site-B before establishing firewall

c) Firewall based access control policies

on R2 & R3
We have used Security Device Manager (SDM) software to
simulate the access control policies and Intrusion Prevention
System on the connected interfaces of the router.For Cisco IOS
Software featured routers, Cisco SDM is a tool for web related
device management. Services like Routing, Switching, Quality of
Service (QoS) and Security can be simply and easily connected
while enabling best management through performance observing.
It permits fast and easy management of access control lists and
data inspection rules through a graphical interface. This
connection is applied via SDM for the outside i.e untrusted
network. All the traffic arriving at the routers
FastEthernet0/0/(2.2.2.2) & FastEthernet0/0/(1.1.1.2) interfaces
Figure 4. Attacker’s Bandwidth vs Time of the Network
can be observed to allow the IPsec secure tunnel traffic. All the
without Firewall.

154

Figure 5. Router’s (R3) Bandwidth vs Time of the
Network without Firewall.
Figure 6. Router’s(R3) Jitter vs Time of the Network
without Firewall.
Figure 7. Packets Rate vs Time of the Network without
Firewall
155
4.1.2 Case 2: With Firewall
Delay: when an attacker attacks the router with firewall, the
router drops the unknown packets coming from any unknown IP
address not specified in the router’s firewall access list. Hence,
there will be no packet flow when firewalls are ”ON” and no delay
can be obtained.
Bandwidth and Jitter: IPerf software is used to analyze
bandwidth, where we can specify the IP address as client or server,
initiate the packets from client to server and obtain bandwidth and
jitter. When an unknown attacker acts as client and initiates some
packets transmission for 100 seconds, the packets are dropped by
server i.e the router is protected with firewall access control list.
Hence, none of the packets will be received by the server.
Therefore, the bandwidth and jitter cannot be computed. So after
the configuration of firewall on routers, the router drops down the
unknown packets due to the security policies configured on the
router. Finally, the site-to-site IPsec VPN tunnel is established and
the connectivity between two sites can be tested using Ping tool.
Further, firewall is also tested.
Figure 8. Attacker’s Bandwidth vs Time of the Network
with Firewall.
Figure 9. Packets vs Time of the Network with
Firewall.
5. CONCLUSION
In this work, we implement and compare the network connectivity
with and without firewall access control list in Site-to-Site IPsec
VPN tunnel using GNS3. We verify the connectivity between two
different sites of Cisco routers using Ping tool. We Establish IPsec
VPN tunnel and initiate calls from one site to another using SIP
softphones connected to Asterisk server. We measure the
performance in terms of delay, bandwidth, jitter in the network
with and without firewall to demonstrate the effectiveness of
security in prohibiting attackers. We used Cisco Router and
Security Device Manager (SDM) software to perform the access
control policies on the connected interfaces of the router to make
our network highly secured.
6. REFERENCES
[1] Kuhn, D. R., Walsh, T. J., & Fries, S. (2005). Security
Considerations for Voice Over IP Systems
Recommendations of the National Institute of Standards and
Technology. National Institute of Standards and Technology,
(800–58), 1–93. http://doi.org/10.1177/0037768615587840
[2] Pu, F. (n.d.). P2P architecture for IP telephony using SIP
Overview of P2P.
[3] Shan, L., & Jiang, N. (2009). Research on security
mechanisms of SIP-based VoIP system. Proceedings - 2009
156
9th International Conference on Hybrid Intelligent Systems,
HIS 2009, 2, 408–410. http://doi.org/10.1109/HIS.2009.196
[4] Jahan, S., Rahman, M. S., & Saha, S. (2017). Application
specific tunneling protocol selection for Virtual Private
Networks. Proceedings of 2017 International Conference on
Networking, Systems and Security, NSysS 2017, 39–44.
http://doi.org/10.1109/NSysS.2017.7885799
[5] Kuhn, D. R., Walsh, T. J., & Fries, S. (2005). Security
Considerations for Voice Over IP Systems
Recommendations of the National Institute of Standards and
Technology. National Institute of Standards and Technology,
(800–58), 1–93. http://doi.org/10.1177/0037768615587840
[6] Salman, F. A. (2017). Implementation of IPsec-VPN
tunneling using GNS3. Indonesian Journal of Electrical
Engineering and Computer Science, 7(3), 855–860.
http://doi.org/10.11591/ijeecs.v7.i3.pp855-860
[7] Herculea, M., & Dobrota, V. (n.d.). Security Assessment for
an H . 323 VoIP Virtual Environment. Security.