Solutions — IPsec VPN for IoT
When you manage IoT deployments across multiple countries, every device on the public internet is a potential exposure point and every dynamic IP makes remote management harder than it needs to be. TNF’s IPsec VPN for IoT solves both. We build and operate the full M2M VPN infrastructure: geo-redundant encrypted tunnels, a private APN, and static IP IoT SIMs. The result: every device in your deployment is an addressable node on your customers’ private network, across 200+ countries, with no public internet exposure and no per-device configuration overhead.
Response within 4 business hours. No sales pitch, no commitment.
When your customers deploy IoT devices across multiple countries and networks, keeping those devices securely connected to backend systems is an architectural challenge that grows with every device you add. Public internet exposure, dynamic IP assignments, and fragmented VPN setups create management overhead that your operations team absorbs and configuration complexity that scales badly as device counts grow.
TNF’s IPsec VPN for IoT removes that complexity. We operate a fully managed M2M VPN infrastructure that creates encrypted tunnels between our core network and your data centre, cloud environment, or your customers’ backend systems. Every IoT SIM in your deployment gets a static private IPv4 address within a dedicated subnet, turning cellular-connected devices into addressable nodes on an IoT private network.
For partners, whether you are an MSP integrating secure connectivity into managed services, a system integrator building industrial IoT platforms, or an IoT reseller looking to differentiate on security, this means you can offer enterprise-grade IoT device security without building or maintaining the VPN infrastructure yourself.
Most partners get a deployment assessment within 48 hours. No commitment.
More than 1,300 partners across industrial IoT, maritime, surveillance, logistics, and defence trust TNF to operate the network infrastructure behind their connectivity proposition.
Every M2M SIM in your deployment is assigned a static private IPv4 address. Your devices are individually addressable from within the corporate network, without dynamic IP assignment or NAT traversal. The static IP SIM approach eliminates the need for devices to initiate connections: your backend systems can reach any device at any time via its fixed private IP.
All assigned IP addresses are visible and manageable through the IoT Portal, giving you centralised IoT SIM IP management across the entire deployment. In practice, remote diagnostics run without wake-up delays, troubleshooting per incident is faster, and onboarding a new customer device fleet is straightforward from the first SIM.
TNF’s static IP IoT SIMs are available in all form factors, including embedded eUICC M2M compliant with GSMA SGP.32 for deployments that also require zero-touch provisioning or over-the-air profile management.
TNF’s IPsec VPN infrastructure operates across multiple geo-redundant zones. Each deployment includes two VPN tunnel connections to your remote site: a primary tunnel handling active traffic and a secondary on standby. When the primary fails, the secondary takes over without interruption. No manual action required, no connectivity gap for the devices or backend systems on either side of the tunnel.
This geo-redundant VPN IoT architecture is designed for deployments where a connectivity interruption has immediate operational consequences: industrial monitoring systems, maritime operations, and surveillance networks where a missed data point or delayed alarm is not acceptable.
Every partner gets a private Access Point Name (APN) that isolates device traffic from the public internet. Within that APN, M2M SIMs are grouped in a dedicated subnet, so all device-to-backend communication stays within a controlled network perimeter. Device data does not traverse the public internet. It flows from the cellular network through the IPsec tunnel directly into the destination data centre or cloud environment.
This private subnet M2M approach gives you a genuinely isolated network environment: a verifiable security architecture you can present to enterprise procurement teams, rather than a configuration that depends on correct setup at every endpoint.
As your deployment grows, the IPsec VPN infrastructure scales to match. Tunnel capacity adjusts to traffic volume without manual provisioning or capacity negotiations on your end. A pilot running fifty devices and a production rollout of fifty thousand devices operate on the same architecture: you add SIMs, the infrastructure absorbs the load.
This matters commercially because you do not need to renegotiate infrastructure capacity each time a customer grows their device fleet. The cost structure you agreed at the start of the deployment remains the basis as volume increases.
Response within 4 business hours.
IPsec VPN for IoT is one layer of a multi-layered security stack TNF deploys for every project. Combined with the security features built into the IoT Portal and the SIM management platform, your customers get a defence-in-depth approach that covers every attack surface. These layers are standard for every deployment: no additional licensing, no bolt-on costs.
IMEI locking. Each SIM is locked to a specific device IMEI. If a SIM is removed from its authorised device and inserted elsewhere, the connection is blocked automatically. This protects against physical tampering at remote or unmanned sites.
Data traffic whitelisting and blacklisting. You define exactly which IP ranges and URLs each SIM can reach. The attack surface is reduced to the minimum required for the use case, and nothing beyond that is reachable from the device.
Private APN isolation. Each partner’s APN is invisible to other users on the network. Devices cannot be discovered or addressed from outside your perimeter, regardless of which carrier network they roam onto.
SIM profiling and fraud detection. Real-time monitoring detects abnormal usage patterns before they escalate. Custom alerts in the IoT Portal flag unusual consumption, location anomalies, or unauthorised connection attempts as they occur.
Manufacturers and system integrators connect PLCs, sensors, and SCADA systems to central monitoring platforms across multiple production sites. Static IP IoT SIMs make each device addressable for remote diagnostics and firmware updates, while the VPN tunnel ensures industrial control data never touches the public internet.
Security integrators deploy camera systems and access control devices on cellular primary or backup connectivity. IPsec VPN ensures video streams and alarm signals reach the monitoring centre through an encrypted tunnel, with IMEI locking preventing physical tampering at remote sites.
Defense contractors and government agencies require network isolation that meets strict compliance standards. TNF’s geo-redundant VPN architecture with private subnets and IMEI-locked SIMs delivers the security posture these environments require, across borders, without reliance on local infrastructure.
Logistics and transport companies connect tracking devices, temperature sensors, and onboard computers through a single M2M VPN. Each vehicle’s SIM carries a static IP, reachable for real-time data pulls and remote configuration regardless of which country or network the vehicle operates on.
Utility providers deploy M2M SIMs across meter infrastructure spanning multiple regions and regulatory environments. Static IP assignment makes each meter individually addressable for remote reads and configuration. The private APN keeps meter data off the public internet, supporting compliance requirements in regulated energy markets.
Not every partner needs a white label storefront. TNF’s IoT portal exposes a REST API and webhook-based push notifications that connect directly to your existing operational environment. Manage the full SIM and eSIM lifecycle, provisioning, plan assignment, usage data, carrier switching, and suspension, without logging into the portal.
IoT resellers and MSPs: Automate SIM provisioning triggers when a device is deployed in your RMM or PSA workflow. Pull usage data directly into your client reporting. Set threshold alerts that fire in your own monitoring tools without manual portal checks.
Device manufacturers and OEMs: Trigger factory provisioning via API during device assembly. Execute profile updates across deployed fleets without physical access. Manage SGP.32 eIM operations programmatically for large-scale headless deployments.
Service providers and aggregators: Build multi-carrier orchestration logic into your own platform. Integrate billing data into your BSS. Expose SIM lifecycle management to your own customer-facing tools via the API surface.
The API is standards-based, supports SHA256 HMAC secured webhooks, and includes full documentation with sandbox access.
A connectivity reseller serving smart building integrators across the Netherlands and Germany needed to replace a single-carrier SIM product that generated constant support tickets about devices going offline in areas where that carrier had poor coverage. The reseller brought their SIM portfolio onto TNF’s IoT CMP, configured pooled data plans per customer, and added multi-carrier failover as a premium tier. Within two months of launch, support tickets related to network availability dropped and a measurable recurring revenue uplift came from the high-availability tier. The management platform, white-labeled under the reseller’s brand, replaced their three-system workaround with one dashboard.
An MSP delivering managed IT services to mid-market manufacturing companies needed to add IoT connectivity as a managed service component without running a separate connectivity platform. Using TNF’s API, SIM provisioning runs automatically within their existing service desk workflow when a new sensor or gateway is deployed. Usage data flows into their client reporting. The MSP delivers connectivity under their own brand and SLA. TNF manages the carrier infrastructure and network operations behind the scenes. The MSP added a recurring revenue line without adding headcount to their NOC.
A hardware manufacturer building industrial monitoring devices for the energy sector needed one device SKU that would work across Europe, the Middle East, and Latin America without regional hardware variants. TNF’s SGP.32-compatible eIM-based provisioning allowed them to ship devices with a bootstrap profile. On first power-on in the field, the device contacts the eIM and automatically receives the correct carrier profile for its deployment region. The manufacturer ships one SKU globally, without QR codes, local SIM logistics, or manual configuration at the deployment site.
Most partners reach TNF after the same realisation: they have outgrown the constraints of working through a carrier portal. The pricing is fixed. The branding is not theirs. The platform does not talk to their existing systems. The eSIM provisioning model does not scale to the device volumes they need to manage.
Every month that gap stays open, your margin leaks through disconnected systems, your team spends time on manual checks that should not exist, and your customers experience a service that does not reflect what your business is capable of delivering.
You handle the customer relationships and the market. TNF handles the Full MVNO infrastructure, wholesale network access, eSIM Orchestrator capabilities, and the operational platform behind it. You do not need to build the underlying infrastructure. You should not have to.
No commitment. Typical walkthrough: 30 minutes.
What is an eSIM Orchestrator and how does TNF's IoT portal support this role?
An eSIM Orchestrator (eSO) is the layer above the carrier network that manages carrier selection, eSIM profile lifecycle, remote provisioning, and network steering logic, without requiring ownership of core network infrastructure. TNF's IoT portal is the operational interface through which TNF exercises this eSO role: provisioning profiles over the air, managing carrier switching in real time, and controlling the full lifecycle of every SIM and eSIM across a deployment, including SGP.32-compliant devices managed via the eIM (eSIM IoT Remote Manager).
What is SGP.32 and why does it matter for IoT deployments?
SGP.32 is the GSMA's next-generation Remote SIM Provisioning standard, designed specifically for IoT devices. It introduces the eIM (eSIM IoT Remote Manager) as a server-side orchestration component and the IPA (IoT Profile Assistant) as a device-side execution layer. Together, they enable zero-touch provisioning, automated profile switching, and full lifecycle management without physical access to deployed devices. For enterprises deploying IoT fleets in maritime, industrial, or autonomous vehicle applications, SGP.32 removes the logistical constraints of earlier eSIM standards and enables a single-SKU global deployment model. Kaleido Intelligence forecasts 240% CAGR for SGP.32 eSIMs through 2028, with commercial acceleration through 2026 and a tipping point in 2027.
What is the difference between a CMP and an eSIM Orchestrator?
A Connectivity Management Platform (CMP) manages active SIM connections: usage monitoring, alerting, activation, and suspension. An eSIM Orchestrator goes further. It controls which eSIM profile sits on which device, executes remote provisioning without physical intervention, and handles the full profile lifecycle from factory to decommission, including SGP.32 eIM-driven operations. Carrier switching runs based on configurable logic, not manual action. TNF's IoT portal combines both capabilities in a single platform.
What is an IoT Connectivity Management Platform?
An IoT Connectivity Management Platform (IoT CMP) is a centralized cloud portal for managing SIM and eSIM connectivity across a device fleet or customer base. It brings SIM lifecycle management, multi-carrier network control, billing, customer CRM, and operational reporting into one environment. TNF's IoT CMP is built for partners, resellers, and enterprises managing connectivity at scale, across multiple carriers and countries, without running separate systems for each function.
What does remote SIM provisioning mean in practice for IoT deployments?
Remote provisioning means eSIM profiles are delivered over the air to supported devices without physical SIM distribution, on-site visits, or manual device configuration. For an IoT deployment of 500 devices across three countries, remote provisioning reduces activation from weeks to minutes. For SGP.32-compliant headless devices, offshore sensors, maritime equipment, or autonomous vehicles, where physical access after deployment is impossible, zero-touch provisioning via the eIM means devices self-configure on first boot based on location and pre-configured business rules.
Which SIM form factors does the TNF IoT portal support?
All standard form factors: Physical SIM (1FF, 2FF, 3FF, 4FF), eSIM QR code, LPA, embedded eUICC, ChipSIM, and MFF2 for industrial permanently installed applications. Single IMSI and Multi-IMSI configurations are both available. SGP.32-compliant eUICC with IPAe or IPAd implementations are supported.
How does network steering work across multiple carriers?
TNF's multi-IMSI capability connects devices to multiple carriers per country. Network steering logic determines the active carrier based on signal strength, geographic region, cost configuration, or availability rules. When a primary network underperforms or fails, the device switches automatically in real time, without manual action. For SGP.32 deployments, the eIM can trigger profile switches between carriers based on pre-defined policies, enabling automated multi-carrier strategies without operator lock-in.
Is the platform included, or is there a separate licence fee?
The IoT Connectivity Management Platform is included at no extra cost for every TNF partner. There are no licence fees, per-seat charges, or per-SIM platform costs. You operate the full feature set as part of your partnership agreement from day one.
What security capabilities does the IoT portal provide?
IMEI locking binds each SIM profile to a specific device, preventing unauthorized use if a device is lost or stolen. Private APN isolates device data traffic from public networks. IPsec VPN creates encrypted tunnels to backend systems. Fixed IP addresses enable consistent firewall rules and secure remote device access. Data traffic blacklisting and whitelisting control exactly which destinations devices can communicate with. [Input needed: confirm ISO 27001 direct certification status.]
What regulatory and compliance standards does TNF's platform meet?
TNF operates under Dutch telecom regulations and is supervised by the Autoriteit Consument & Markt (ACM). Platform operations are aligned with the technical and regulatory requirements of the Rijksinspectie Digitale Infrastructuur (RDI). The underlying infrastructure is built on ISO 27001 and SOC 2 certified telecom carrier systems. Connectivity is delivered exclusively via licensed and regulated mobile network operators in every country where TNF provides coverage. The platform is compliant with international data protection standards, including GDPR.
Can I integrate the platform with my existing systems?
Yes. REST API access and webhooks are standard. Integration types include automated SIM provisioning triggers, billing synchronisation with ERP and CRM systems, usage data feeds to BI tools, and alert forwarding to monitoring platforms. Payment gateway integrations include Stripe, PayPal, and Cardknox. Invoicing integrations include WeFact and Xero.
What is the difference between TNF's IoT CMP and a standard carrier portal?
A carrier portal ties you to one operator. That operator's coverage is your ceiling. White-labeling is not an option. Multi-carrier management in one view is not possible. Data plan creation happens on their terms, not yours. TNF's IoT CMP is carrier-neutral across 900+ networks in 200+ countries, fully white-labelable, multi-tenant, and includes a complete billing engine where you set the pricing. It also combines CMP functions with eSIM Orchestrator capabilities, including profile lifecycle management, zero-touch provisioning, and SGP.32 eIM operations, in a single platform.