Can't Register Client - Multiple Subnets

I tried asking the followin on the mailinglist, but didn’t get a response. Perhaps it was the wrong venue for it.

I am unable to get any softphone to register to my asterisk server
when I am connected via VPN. I have tried Ekiga, LinPhone, and
Twinkle… on multiple machines. It works fine when locally connected
(same subnet). The VPN is not NAT’ing anything… and all other
connections work fine across it (i.e. http, ssh, scp, ftp, etc). In
fact, the asterisk logs show the connections, so its getting to the
server.

I am getting the following errors:
moe*CLI>
<-- SIP read from 10.4.5.6:5061:
REGISTER sip:10.4.6.4 SIP/2.0
CSeq: 1 REGISTER
Via: SIP/2.0/UDP
10.4.5.6:5061;branch=z9hG4bK4e847b36-8663-db11-81de-000e7beef61c;rport
User-Agent: Ekiga/2.0.1
From: sip:211@10.4.6.4;tag=86747b36-8663-db11-81de-000e7beef61c
Call-ID: b22a7b36-8663-db11-81de-000e7beef61c@dailyplanet
To: sip:211@10.4.6.4
Contact: sip:211@10.4.5.6:5061;transport=udp
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER, SUBSCRIBE, NOTIFY,
REFER, MESSAGE
Expires: 3600
Content-Length: 0
Max-Forwards: 70

— (12 headers 0 lines) —
Using latest REGISTER request as basis request
Sending to 10.4.5.6 : 5061 (NAT)
Transmitting (NAT) to 10.4.5.6:5061:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP
10.4.5.6:5061;branch=z9hG4bK4e847b36-8663-db11-81de-000e7beef61c;received=10.4.5.6;rport=5061
From: sip:211@10.4.6.4;tag=86747b36-8663-db11-81de-000e7beef61c
To: sip:211@10.4.6.4
Call-ID: b22a7b36-8663-db11-81de-000e7beef61c@dailyplanet
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: sip:211@10.4.9.14
Content-Length: 0


Transmitting (NAT) to 10.4.5.6:5061:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
10.4.5.6:5061;branch=z9hG4bK4e847b36-8663-db11-81de-000e7beef61c;received=10.4.5.6;rport=5061
From: sip:211@10.4.6.4;tag=86747b36-8663-db11-81de-000e7beef61c
To: sip:211@10.4.6.4;tag=as51849e53
Call-ID: b22a7b36-8663-db11-81de-000e7beef61c@dailyplanet
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="2f971e1b"
Content-Length: 0


Scheduling destruction of call
’b22a7b36-8663-db11-81de-000e7beef61c@dailyplanet’ in 15000 ms

Info…

10.4.6.0/24 = internal
10.4.5.0/24 = vpn

[root@moe ~]# rpm -qa | grep -i asterisk
asterisk-addons-1.2.5-11.fc4.at
asterisk-sounds-1.2.1-8.at
asterisk-1.2.13-29.fc4.at
[root@moe ~]# rpm -qa | grep -i zap
zaptel-kmdl-2.6.17-1.2142_FC4-1.2.10-20.fc4.at
zaptel-1.2.10-20.fc4.at
[root@moe ~]#

[root@moe ~]# cat /etc/asterisk/sip.conf

[general]
port = 5060 ; Port to bind to (SIP is 5060)
bindaddr = 0.0.0.0 ; Address to bind to (all addresses on machine)
localnet=10.4.0.0/255.255.0.0
externip=69.12.xxx.xx
disallow=all
allow=ulaw
allow=alaw
context = from-sip-external ; Send unknown SIP callers to this context
callerid = Unknown
tos=0x68

[root@moe asterisk]# cat sip_additional.conf

[211]
type=friend
secret=12345678
record_out=Adhoc
record_in=Adhoc
qualify=yes
port=5060
nat=yes
host=dynamic
dtmfmode=rfc2833
dial=SIP/211
context=from-internal
canreinvite=no
callerid=device <211>
allow=all

try turning NAT off for device 211 in sip.conf. (nat=no)