Securing SIP endpoint connections


I’ve read several times that SIP (or VoIP) is not realistic over VPN. So I was wondering what the options are to secure a SIP endpoint over the Internet. I don’t want to use IP restrictions as dynamic DNS will make this too inconvenient.

What I was thinking is:

  1. Can an asterisk server authenticate the client using a client-side certificate?

  2. Can the SIP-endpoint authenticate the server using a server-side certificate?

  3. Can the connection be encrypted?

I think I heard about SIP over SSL which would indicate to me that number 2 and 3 are possible using this. In this case, does that lead to a good quality connection?

I would really like it is #1 were possible. My biggest concern with VoIP over the internet would be someone else connecting to my VoIP server and making/receiving calls and mis-representing my company.

Thanks for all your help.

This may require a bit of work… but in theory you could route the SIP signaling over the VPN connection and route the RTP stream over the public internet. That way nobody could set-up/tear-down a call unless they were on the trusted network. The only downside from a security standpoint would be that your RTP stream would be unencrypted… which I personally wouldn’t worry much about, but that’s just me.