Digium D60 phone VPN SIP header incorrect IP

I have a Digium D60 phone on the internet configured with the built-in OpenVPN functionality successfully configured. My D60 is able to connect to my asterisk server through openvpn successfully, but I believe there is a error with the SIP header sent from the Digium phone. Is there anyone from Digium who can review and assist?

Public IP of phone (masked for privacy): A.B.C.D
IP assigned to D60 phone with openvpn connection established:
Asterisk server:

The 10.10.x.x addresses are corporate IP addresses behind a firewall. All traffic on internal networks is routed properly. The asterisk server is able to ping the D60 phone at the VPN assigned IP,

With SIP debug enabled on asterisk, here is what I see when the Digium phone contacts the asterisk server:

<--- SIP read from UDP: --->
MESSAGE sip:proxy@;transport=udp SIP/2.0
Via: SIP/2.0/UDP A.B.C.D:5060;rport;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p
Max-Forwards: 70
From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os
To: <sip:proxy@>
Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl
CSeq: 18281 MESSAGE
Accept: text/plain, application/im-iscomposing+xml
User-Agent: Digium D60 2_6_5
X-Digium-User-Agent: Digium D60 2_6_5
X-Digium-AppServer-ID: aeprox173476371
X-Digium-AppServer-Message-Salt: 7B47CCFD0E07B75B
X-Digium-AppServer-MACAddress: 000FD30B1B8A
X-Digium-AppServer-Session: 8007087691818030893
X-Digium-AppServer-RequestType: AsteriskRequest
Content-Type: text/plain
Content-Length: 408

--- (17 headers 1 lines) ---
Sending to (NAT)
Receiving message!
Looking for proxy in dpma_message_context (domain

<--- Transmitting (NAT) to --->
SIP/2.0 202 Accepted
Via: SIP/2.0/UDP A.B.C.D:5060;branch=z9hG4bKPj53zUxjkekZz5E541qcB5O-zcxncEYl2p;received=;rport=5060
From: <sip:A.B.C.D>;tag=Xou4B3Oe0t358t0HmDB2OEcySmnUc4Os
To: <sip:proxy@>;tag=as6d897c87
Call-ID: IZj7U3x.6r6miCqd00u2XWgjk4B4x9Jl
CSeq: 18281 MESSAGE
Server: Asterisk PBX certified/13.18-cert3
Supported: replaces, timer
Content-Length: 0

With VPN enabled on the Digium D60 phone, shouldn’t the VPN-assigned IP address of be used in the SIP from:<> header? That is, instead of
From: <sip:A.B.C.D>
shouldn’t it be
From: <sip:> ?

The reason why this matters is because the whole point of having VPN support within the D60 is so that the asterisk server can reach it despite the phone being outside of the intranet where the asteirsk server resides. If the public internet IP address leaks into the SIP header after VPN in the D60 is established, the asterisk server will send traffic to the wrong (public) IP address A.B.C.D on a SIP reinvite.

I have tried filing a trouble issue report with Digium support, but was unsuccessful in getting past the first level of support, who could not understand why this is an issue.

I realize I can work around this by enabling NAT on the asterisk sip configuration, but that means reinvites don’t work and the asterisk server needs to remain in the media path for every phone call.

I believe that when VPN functionality is connected inside the D60, the VPN-assigned IP should be used in the SIP headers, not the phone’s public IP. Am I correct, or mistaken?


  1. Digium do not support their commercial products on these community forums.

  2. The domain part of SIP From headers should not be used for routing, so it is not important as to which interface it represents. In fact, as the result of proxying, it may be an interface that is only available many hops back.


Thank you for your reply. How does asterisk determine the IP address used for SIP reinvite? Is there a setting in sip.conf similar to nat=yes to get the correct IP, but still allow reinvite?

Asterisk follows the RFC and uses the Contact header to get the correct details for Re-INVITE.

When I looked closely at the code, there was no provision to manipulate the Contact header in chan_sip. Whilst this was mainly with Asterisk 1.6, the move to pjsip happened soon afterwards, so I doubt anything was added.

nat=yes is deprecated in favour of specifying required sub-options individually.

The rewrite_contact option in PJSIP will alter the Contact header to contain the actual source IP address and port of the traffic.