I have a Digium D60 phone on the internet configured with the built-in OpenVPN functionality successfully configured. My D60 is able to connect to my asterisk server through openvpn successfully, but I believe there is a error with the SIP header sent from the Digium phone. Is there anyone from Digium who can review and assist?
Public IP of phone (masked for privacy): A.B.C.D
IP assigned to D60 phone with openvpn connection established: 10.10.23.58
Asterisk server: 10.10.16.12
The 10.10.x.x addresses are corporate IP addresses behind a firewall. All traffic on internal networks is routed properly. The asterisk server is able to ping the D60 phone at the VPN assigned IP, 10.10.23.58
With SIP debug enabled on asterisk, here is what I see when the Digium phone contacts the asterisk server:
<--- SIP read from UDP:10.10.23.58:5060 ---> MESSAGE sip:email@example.com:5060;transport=udp SIP/2.0 Via: SIP/2.0/UDP A.B.C.D:5060;rport;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p Max-Forwards: 70 From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os To: <sip:firstname.lastname@example.org> Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl CSeq: 18281 MESSAGE Accept: text/plain, application/im-iscomposing+xml User-Agent: Digium D60 2_6_5 X-Digium-User-Agent: Digium D60 2_6_5 X-Digium-AppServer-ID: aeprox173476371 X-Digium-AppServer-Message-Salt: 7B47CCFD0E07B75B X-Digium-AppServer-MACAddress: 000FD30B1B8A X-Digium-AppServer-Session: 8007087691818030893 X-Digium-AppServer-RequestType: AsteriskRequest Content-Type: text/plain Content-Length: 408 mSubX19iMBY6y12eJWZsBxcADIW7o96cFeFiXIlh/pbckMgmVcFmoWjTDcuTalK0hli9Z/sk5LqNRtt0/l7H0WaCcW/jVdgytZ+BKHMCsJe/P2qVys868zrU9mEfrxyWA2b8kSY+s+JnLz2f5/80WyKWkp\ mvPsihbZQ25vOrISmlkjHE4lxN3iuNl02IDGqvJQPKBwWeh1WL4mJXhehWHaP6sX94D7CoGtdjCs6uq5/tCTEKcNeMej4s4IKdvQoOMqzOIPoYzpWMRnkauKaCsLhNHocyiVluhsH/3ZQ5OWUFVUl9Z+uA\ TxwtSGfskct8rJlGzqQFfA8Ql6T2UuN2q9CptpAOdluqld3ppZj0F7ureQmqekHwJksmDPabPFGJ/Lyz3Z2BFNKF3LjB/A5GQg== <-------------> --- (17 headers 1 lines) --- Sending to 10.10.23.58:5060 (NAT) Receiving message! Looking for proxy in dpma_message_context (domain 10.10.16.12) <--- Transmitting (NAT) to 10.10.23.58:5060 ---> SIP/2.0 202 Accepted Via: SIP/2.0/UDP A.B.C.D:5060;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p;received=10.10.23.58;rport=5060 From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os To: <sip:email@example.com>;tag=as6d897c87 Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl CSeq: 18281 MESSAGE Server: Asterisk PBX certified/13.18-cert3 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer Content-Length: 0
With VPN enabled on the Digium D60 phone, shouldn’t the VPN-assigned IP address of 10.10.23.58 be used in the SIP from:<> header? That is, instead of
shouldn’t it be
The reason why this matters is because the whole point of having VPN support within the D60 is so that the asterisk server can reach it despite the phone being outside of the intranet where the asteirsk server resides. If the public internet IP address leaks into the SIP header after VPN in the D60 is established, the asterisk server will send traffic to the wrong (public) IP address A.B.C.D on a SIP reinvite.
I have tried filing a trouble issue report with Digium support, but was unsuccessful in getting past the first level of support, who could not understand why this is an issue.
I realize I can work around this by enabling NAT on the asterisk sip configuration, but that means reinvites don’t work and the asterisk server needs to remain in the media path for every phone call.
I believe that when VPN functionality is connected inside the D60, the VPN-assigned IP should be used in the SIP headers, not the phone’s public IP. Am I correct, or mistaken?