Test shows VoIP call quality can improve with SSL VPN links

VoIP is often written off as an application that will not work well over an SSL VPN link. To test that argument, we examined 10 SSL VPN products in four network scenarios to see how well VoIP calls were handled by the products' network extension clients.

The news is generally good. In high-bandwidth, low-latency environments, there is virtually no difference in quality between an unencrypted VoIP call and the same call made over an SSL VPN (see chart). Even better news is our discovery that a VoIP call made over SSL VPN on a typical broadband Internet connection is of higher quality than an unencrypted call. The only bad news comes with truly awful network connections: ones with high loss and limited bandwidth. In this environment, neither unencrypted VoIP calls nor SSL VPN-protected calls will be considered acceptable (for example, below a mean opinion score [MOS] of 3).

Except for Fortinet's Fortigate appliance, the vendors included in this test are the same as those that were tested for our blow-out SSL VPN test conducted last December. AEP Networks' Netilla Security Platform, Array Networks, SPX-5000, Aventail's Smart SSL VPN, Caymas Systems' Caymas 525, Check Point's Connectra, F5's FirePass 4100, Juniper Networks' Secure Access 6000, Nokia's Secure Access System 500, Nortel's VPN Gateway 3070 and SonicWall's SSL-VPN 2000.

Click to see:

While our results do show some differences between products, small variations in the MOS should not be considered significant. What is more important, our testing demonstrates that SSL VPN and VoIP work together well over broadband networks, even in the face of some network loss and congestion. We also found that datagram-based SSL VPN techniques, such as those used by Nortel and Juniper (both optionally), do not appear to offer any real advantage for VoIP traffic and may give poorer results than TCP-based SSL VPN from the same vendors.

To test VoIP over SSL VPN, we used a product from GL Communications that measured the quality of voice calls using standardized testing procedures. To see how VoIP would behave in the real world of broadband ISPs, we used a Shunra Virtual Enterprise to inject latency, loss and other impairments, based on our measurements of broadband IP service at wireless hot spots, hotels and other temporary locations around the world. (see "How we did it"). We used common "soft-phone" Session Initiation Protocol software on the SSL VPN client side, with a SIP "hard phone" inside the SSL VPN server.

We examined four scenarios, ranging from a perfect 100Mbps network with a few millisec of latency, all the way to a poor-quality 100Kbps network with 60 milliseconds of latency and other impairments. We called these four scenarios "unimpaired," "good," "bad" and "bad/slow."

Our first tests set a reference to see how the SIP software and hardware would work without a VPN in the way. The GL Communications Voice Quality Tester gave us MOS ratings for our calls, with higher scores being better quality. Most people would consider a call with a score as low as 3.0 to be acceptable, although obviously degraded (see "Minding your Ps and Qs"). These no-VPN networks set the standard for SSL VPNs to meet: acceptable quality over unimpaired and good networks, with poor calls over the bad and bad/slow networks.