Rewriting IP address in SDP (Digium D60 uses wrong IP in SDP when OpenVPN is enabled)

webtrader · March 30, 2019, 1:55am

I have some Digium D60 phones connected with their built-in OpenVPN functionality enabled. They are connecting to the PBX successfully and are also reachable from other phones on the same internal network.

The problem I have is that even though the phone connects successfully and transmits/receives through its VPN IP, the SIP INVITE message sent from the phone has some split personality issues going on; it uses it’s VPN IP address in the Contact header, but it still uses the public internet IP address in the SDP message body. For example, here is a sample INVITE from a D60 phone to the PBX (10.10.23.6 is the Phone’s OpenVPN IP, xxx.xxx.xxx.xxx is the Phone’s public IP, ppp.ppp.ppp.ppp is the PBX)

`<— Received SIP request (1012 bytes) from UDP:10.10.23.6:5060 —>
INVITE sip:726@ppp.ppp.ppp.ppp SIP/2.0
Via: SIP/2.0/UDP 10.10.23.6:5060;rport;branch=z9hG4bKPj0t5-Xzv5qL9HJ9f1dwN1.kId.xgY.e8A
Max-Forwards: 70
From: ““Phone User” <1588>” sip:1588@ppp.ppp.ppp.ppp;tag=CCq88kM2aT.IQRLqoGLIQ–XXkKqYRcB
To: sip:726@ppp.ppp.ppp.ppp
Contact: ““Phone User” <1588>” sip:1588@10.10.23.6:5060;ob
Call-ID: PKjsLN8AI0ItRUbjp56LFUcIfIJsFw.B
CSeq: 6976 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D60 2_7_2
Content-Type: application/sdp
Content-Length: 356

v=0
o=- 246516781 246516781 IN IP4 xxx.xxx.xxx.xxx
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4002 RTP/AVP 0 8 9 111 96
c=IN IP4 xxx.xxx.xxx.xxx
b=TIAS:64000
a=rtcp:4003 IN IP4 xxx.xxx.xxx.xxx
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16`

I can work around this by enabling symmetric_rtp on asterisk so that the media stream goes back to the same source IP address at 10.10.23.6, but that requires the PBX box to remain in the media path when two phones call each other. The phones are able reach each other, if I can just get asterisk to provide the correct VPN IP address in subsequent reinvites.

Does anyone have any suggestions on whether there is a way within asterisk to rewrite the xxx.xxx.xxx.xxx in SDP with the VPN IP from the Contact header? Currently on a reninvite the phones try to send media to the phones’ non-reachable xxx.xxx.xxx.xxx public IP address instead of the phones’ VPN IP.

In PJSIP there is a rewrite_contact option, but that is only to rewrite the contact header (which in my case is already correct). I need something similar to that but for the IP address in the SDP message body.

malcolmd · April 1, 2019, 8:57pm

Is the phone also behind a NAT router? Where I’m not behind a NAT router, but am instead connected directly to the PBX, and where OpenVPN is in use, I don’t see this.

webtrader · April 1, 2019, 11:34pm

I did my test with the phone behind a NAT router. Are you saying that in your test, if the phone is assigned a public routable IP address and OpenVPN is enabled on the phone, then the OpenVPN IP address will be used in the SDP of the message, and not the public IP?

Even if this is the case, whats the logic behind only using the OpenVPN IP in SDP when the main phone IP is publically routable? I thought the point of OpenVPN support on the phone to allow the phone to communicate directly with other devices on the OpevnVPN-attached network.

Thanks.

malcolmd · April 10, 2019, 9:12pm

This is peculiar. I’ve inserted a NAT router into the picture, and I’m not seeing it. In my case, everything’s still happening in the private address space. Phone’s NAT’d IP is 192.168.2.something. Phone’s VPN IP is 192.168.100.something. Public side of NAT is 10.something. On the far end of that is the concentrator, which is also running Asterisk, also on 10.somethingelse. In looking at the invite from the phone in Asterisk, the ‘c’ and ‘a’ lines have the phone’s VPN IP of 192.168.100.something in it. I don’t see 10.something anywhere in the INVITE.

webtrader · April 11, 2019, 5:17pm

malcolmd,

First, I would like to thank you for taking the time to help try to replicate my problem.

Regarding the actual problem itself, my problem using your example would be that the c and a lines in the INVITE would appear to use the phone NAT’d IP 192.168.2.x instead of the phone VPN IP 192.168.100.x

The behavior that you describe on your phone is exactly what I want! Are you provisioning your phone using DPMA for asterisk?

malcolmd · April 11, 2019, 5:35pm

Aye. Not sure what the magic is yet that gets things in that state.

I’m using the method I outline here (Home - Asterisk Documentation). In my case, I spin up the phone using normal addresses for everything and I have it load the VPN config file. I’ve got a separate config file that contains VPN addresses for everything. Once the phone is up, I swap the type=phone config to the VPN config file and I issue a reconfigure to the phone. The VPN config file, in addition to having VPN addresses for everything (including config_server_url), also turns on the VPN function. The phone has triggers for that, and reboots itself. It comes back, and it’s presenting properly in SDP for me. Why that’s different from what you experience is still a mystery. Some experimentation may sleuth it out. I’m not sure that I’m going to be able to plumb around on it - many obligations otherwise.

webtrader · April 11, 2019, 8:52pm

I will try to set up a separate test system to replicate my problem on a clean environment. If I can replicate the issue and provide you with access, would you be willing to try out your phone on my system to see if you get the same result?

webtrader · April 13, 2019, 7:42am

Malcolmd,

I set up a test server which consists of Asterisk 16.3.0 and openvpn running on the same box. I am able to replicate the problem on this clean setup. Would you be willing to attach your phone to my test server to see if you get the same result? I have set everything up so that you can log in and add your own phone’s MAC address. Here are the steps I took:

Added my phone MAC address to res_digium_phone.conf and reloaded
Booted up my Digium D60 phone and entered reconfiguration on startup
Chose option 2, Digium Configuration Server and entered the public server IP
Phone loads the configuration and automatically enables VPN, and it reboots.
Phone now connects successfully on VPN IP to phone.
Dialing an extension 700 on phone results in the following INVITE, where

s.s.s.s = asterisk IP
p.p.p.p = phone’s native IP address
v.v.v.v = phone’s VPN IP address

<--- Received SIP request (991 bytes) from UDP:v.v.v.v:5060 --->
INVITE sip:700@s.s.s.s SIP/2.0
Via: SIP/2.0/UDP v.v.v.v:5060;rport;branch=z9hG4bKPjTd.iOE-To2c5UUuG8ZKyXI7FLt.t4pot
Max-Forwards: 70
From: "\"Webtrader\" <1000>" <sip:v1000@s.s.s.s>;tag=KzABQkIB3BhQ4qoGcpyReshc53jLftAa
To: <sip:700@s.s.s.s>
Contact: "\"Steve\" <1000>" <sip:v1000@v.v.v.v:5060;ob>
Call-ID: i8XzPXT.GySIcArP-wBhwJO8ys24D283
CSeq: 32297 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D60 2_7_2
Content-Type: application/sdp
Content-Length:   347

v=0
o=- 250555519 250555519 IN IP4 p.p.p.p
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4000 RTP/AVP 0 8 9 111 96
c=IN IP4 p.p.p.p
b=TIAS:64000
a=rtcp:4001 IN IP4 p.p.p.p
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16