I have some Digium D60 phones connected with their built-in OpenVPN functionality enabled. They are connecting to the PBX successfully and are also reachable from other phones on the same internal network.
The problem I have is that even though the phone connects successfully and transmits/receives through its VPN IP, the SIP INVITE message sent from the phone has some split personality issues going on; it uses it’s VPN IP address in the Contact header, but it still uses the public internet IP address in the SDP message body. For example, here is a sample INVITE from a D60 phone to the PBX (10.10.23.6 is the Phone’s OpenVPN IP, xxx.xxx.xxx.xxx is the Phone’s public IP, ppp.ppp.ppp.ppp is the PBX)
`<— Received SIP request (1012 bytes) from UDP:10.10.23.6:5060 —>
INVITE sip:726@ppp.ppp.ppp.ppp SIP/2.0
Via: SIP/2.0/UDP 10.10.23.6:5060;rport;branch=z9hG4bKPj0t5-Xzv5qL9HJ9f1dwN1.kId.xgY.e8A
Max-Forwards: 70
From: ““Phone User” <1588>” sip:1588@ppp.ppp.ppp.ppp;tag=CCq88kM2aT.IQRLqoGLIQ–XXkKqYRcB
To: sip:726@ppp.ppp.ppp.ppp
Contact: ““Phone User” <1588>” sip:1588@10.10.23.6:5060;ob
Call-ID: PKjsLN8AI0ItRUbjp56LFUcIfIJsFw.B
CSeq: 6976 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D60 2_7_2
Content-Type: application/sdp
Content-Length: 356
v=0
o=- 246516781 246516781 IN IP4 xxx.xxx.xxx.xxx
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4002 RTP/AVP 0 8 9 111 96
c=IN IP4 xxx.xxx.xxx.xxx
b=TIAS:64000
a=rtcp:4003 IN IP4 xxx.xxx.xxx.xxx
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16`
I can work around this by enabling symmetric_rtp on asterisk so that the media stream goes back to the same source IP address at 10.10.23.6, but that requires the PBX box to remain in the media path when two phones call each other. The phones are able reach each other, if I can just get asterisk to provide the correct VPN IP address in subsequent reinvites.
Does anyone have any suggestions on whether there is a way within asterisk to rewrite the xxx.xxx.xxx.xxx in SDP with the VPN IP from the Contact header? Currently on a reninvite the phones try to send media to the phones’ non-reachable xxx.xxx.xxx.xxx public IP address instead of the phones’ VPN IP.
In PJSIP there is a rewrite_contact option, but that is only to rewrite the contact header (which in my case is already correct). I need something similar to that but for the IP address in the SDP message body.