Hello guys,
my name is Filip Rezac and I am from VSB Technical University od Ostrava, Czech Republic.
We are dealing with a development project
where we encountered a possible problem in the
implementation of the Linphone SW client.
Situation is as follows:
- we have two networks each containing
a Kamailio SIP server, when these networks are
transparent to each other and the SIP servers
are interconnected by a SIP trunk.
- the SW desktop client Linphone in
version 5.2.1 with SIP account 103 is registered on
the kamailio.osk1.lab SIP server with IP:
10.10.0.190, where the client has a physical IP
address of 192.168.30.27 and the desktop also runs
an OVPN tunnel to the OSK1 network, which assigns
the IP address 10.11 .0.2.
- the HW phone Innovaphone IP112A with
SIP account 302 is registered on the second SIP
server kamailio.osk3.lab with IP: 10.3.1.190,
when the phone is directly connected via Ethernet to the
infrastructure and has IP 10.10.0.151.
- SIP over TLS security is set on both
SIP clients (switched to SIP over UDP for
debugging) and the media goes directly between the
clients secured by the DTLS-SRTP method.
- the whole topology is shown below:
- THE PROBLEM is as follows:
- if I make a call from the SW client Linphone (account 103) to the HW phone Innovaphone (account 302), signaling goes through without problems, the call is established properly and the media is secured by SRTP.
- however, if I make a call from the
Innovaphone HW phone (account 302) to the Linphone SW
client (account 103), the signaling goes through
without any problems, but a DTLS session error occurs
when setting up the call and the call ends within
about 5 seconds.
- signaling debug revealed that if the caller is a Linphone SW client (account 103), the client's VPN IP address is correctly indicated in the Message body of the INVITE message at line c of the SDP: 10.11.0.2 see. printscreen below:
- but if the caller is an Innovaphone HW phone (account 302), then in the 200 OK response, the physical IP address is incorrectly stated in the SDP line c: 192.168.30.27 instead of the VPN IP address (10.11.0.2), see prinscreen below:
- in our opinion, this causes a
subsequent error in the DTLS handshake and as a result
the call drops.
- the interesting thing about the whole
think is that if we simulate the same situation, but
both clients are connected to one kamailio SIP server
(there is no SIP trunk), then calls go through
from both sides without problems even if the Linphone SW
client is connected via OVPN tunnel.
- also, if we turn off encryption of
the media and the calls run through the pure RTP,
calls go through without problems even within the SIP
trunk.
- we also tried change various
settings on Linphone, unfortunately without success:
turning off
IPv6 support or set STUN server and enable ICE protocol.
- You can find the captured .pcap in the attachment , which contains both calls: first a working call from the SW client Linphone (account 103) to the HW phone Innovaphone (account 302) and then the second non-functioning call from the HW phone Innovaphone (account 302) to the SW client Linphone (account 103).
I understand that this is a rather unique situation, but it is very important for us that the call goes with DTLS-SRTP media encryption on both sides when using these clients, when the success of the entire development project depends on it.
I am therefore asking for your help and I will be fully available in case of questions or comments.
Thank You very much,
best regards,
Filip Řezáč
