I have a Digium D60 phone on the internet configured with the built-in OpenVPN functionality successfully configured. My D60 is able to connect to my asterisk server through openvpn successfully, but I believe there is a error with the SIP header sent from the Digium phone. Is there anyone from Digium who can review and assist?
Public IP of phone (masked for privacy): A.B.C.D
IP assigned to D60 phone with openvpn connection established: 10.10.23.58
Asterisk server: 10.10.16.12
The 10.10.x.x addresses are corporate IP addresses behind a firewall. All traffic on internal networks is routed properly. The asterisk server is able to ping the D60 phone at the VPN assigned IP, 10.10.23.58
With SIP debug enabled on asterisk, here is what I see when the Digium phone contacts the asterisk server:
<--- SIP read from UDP:10.10.23.58:5060 --->
MESSAGE sip:proxy@10.10.16.12:5060;transport=udp SIP/2.0
Via: SIP/2.0/UDP A.B.C.D:5060;rport;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p
Max-Forwards: 70
From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os
To: <sip:proxy@10.10.16.12>
Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl
CSeq: 18281 MESSAGE
Accept: text/plain, application/im-iscomposing+xml
User-Agent: Digium D60 2_6_5
X-Digium-User-Agent: Digium D60 2_6_5
X-Digium-AppServer-ID: aeprox173476371
X-Digium-AppServer-Message-Salt: 7B47CCFD0E07B75B
X-Digium-AppServer-MACAddress: 000FD30B1B8A
X-Digium-AppServer-Session: 8007087691818030893
X-Digium-AppServer-RequestType: AsteriskRequest
Content-Type: text/plain
Content-Length: 408
mSubX19iMBY6y12eJWZsBxcADIW7o96cFeFiXIlh/pbckMgmVcFmoWjTDcuTalK0hli9Z/sk5LqNRtt0/l7H0WaCcW/jVdgytZ+BKHMCsJe/P2qVys868zrU9mEfrxyWA2b8kSY+s+JnLz2f5/80WyKWkp\
mvPsihbZQ25vOrISmlkjHE4lxN3iuNl02IDGqvJQPKBwWeh1WL4mJXhehWHaP6sX94D7CoGtdjCs6uq5/tCTEKcNeMej4s4IKdvQoOMqzOIPoYzpWMRnkauKaCsLhNHocyiVluhsH/3ZQ5OWUFVUl9Z+uA\
TxwtSGfskct8rJlGzqQFfA8Ql6T2UuN2q9CptpAOdluqld3ppZj0F7ureQmqekHwJksmDPabPFGJ/Lyz3Z2BFNKF3LjB/A5GQg==
<------------->
--- (17 headers 1 lines) ---
Sending to 10.10.23.58:5060 (NAT)
Receiving message!
Looking for proxy in dpma_message_context (domain 10.10.16.12)
<--- Transmitting (NAT) to 10.10.23.58:5060 --->
SIP/2.0 202 Accepted
Via: SIP/2.0/UDP A.B.C.D:5060;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p;received=10.10.23.58;rport=5060
From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os
To: <sip:proxy@10.10.16.12>;tag=as6d897c87
Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl
CSeq: 18281 MESSAGE
Server: Asterisk PBX certified/13.18-cert3
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0
With VPN enabled on the Digium D60 phone, shouldn’t the VPN-assigned IP address of 10.10.23.58 be used in the SIP from:<> header? That is, instead of
From: <sip:A.B.C.D>
shouldn’t it be
From: <sip:10.10.23.58> ?
The reason why this matters is because the whole point of having VPN support within the D60 is so that the asterisk server can reach it despite the phone being outside of the intranet where the asteirsk server resides. If the public internet IP address leaks into the SIP header after VPN in the D60 is established, the asterisk server will send traffic to the wrong (public) IP address A.B.C.D on a SIP reinvite.
I have tried filing a trouble issue report with Digium support, but was unsuccessful in getting past the first level of support, who could not understand why this is an issue.
I realize I can work around this by enabling NAT on the asterisk sip configuration, but that means reinvites don’t work and the asterisk server needs to remain in the media path for every phone call.
I believe that when VPN functionality is connected inside the D60, the VPN-assigned IP should be used in the SIP headers, not the phone’s public IP. Am I correct, or mistaken?
Thanks!