VoIP is often written off as an application that will not work well over an SSL VPN link. To test that argument, we examined 10 SSL VPN products in four network scenarios to see how well VoIP calls were handled by the products' network extension clients.

The news is generally good. In high-bandwidth, low-latency environments, there is virtually no difference in quality between an unencrypted VoIP call and the same call made over an SSL VPN (see chart). Even better news is our discovery that a VoIP call made over SSL VPN on a typical broadband Internet connection is of higher quality than an unencrypted call. The only bad news comes with truly awful network connections: ones with high loss and limited bandwidth. In this environment, neither unencrypted VoIP calls nor SSL VPN-protected calls will be considered acceptable (for example, below a mean opinion score [MOS] of 3).

Except for Fortinet's Fortigate appliance, the vendors included in this test are the same as those that were tested for our blow-out SSL VPN test conducted last December. AEP Networks' Netilla Security Platform, Array Networks, SPX-5000, Aventail's Smart SSL VPN, Caymas Systems' Caymas 525, Check Point's Connectra, F5's FirePass 4100, Juniper Networks' Secure Access 6000, Nokia's Secure Access System 500, Nortel's VPN Gateway 3070 and SonicWall's SSL-VPN 2000.

Click to see:

While our results do show some differences between products, small variations in the MOS should not be considered significant. What is more important, our testing demonstrates that SSL VPN and VoIP work together well over broadband networks, even in the face of some network loss and congestion. We also found that datagram-based SSL VPN techniques, such as those used by Nortel and Juniper (both optionally), do not appear to offer any real advantage for VoIP traffic and may give poorer results than TCP-based SSL VPN from the same vendors.

To test VoIP over SSL VPN, we used a product from GL Communications that measured the quality of voice calls using standardized testing procedures. To see how VoIP would behave in the real world of broadband ISPs, we used a Shunra Virtual Enterprise to inject latency, loss and other impairments, based on our measurements of broadband IP service at wireless hot spots, hotels and other temporary locations around the world. (see "How we did it"). We used common "soft-phone" Session Initiation Protocol software on the SSL VPN client side, with a SIP "hard phone" inside the SSL VPN server.