Hurricane Electric's IPv6 Tunnel Broker Forums

DNS.HE.NET Topics => General Questions & Suggestions => Topic started by: thermionic on July 24, 2012, 06:21:14 AM

Title: IPv4 DDNS for on Cisco IOS
Post by: thermionic on July 24, 2012, 06:21:14 AM
As nobody else has posted this, I thought that I might.

The configuration as below is for IPv4 dynamic addressing as provided by most Internet Service Providers on ADSL or Cable connections.

I have tested the below on a BT FTTC connection which uses PPPoE over VDSL where the PPPoE interface has a dynamic address. The connection also has a routed /29 "behind" the PPPoE dynamic address. As the router has a static public address (from the /29) on its "internal" interface (which then connects to the firewall so the firewall has a public routable address) the IPv6 tunnel is established from the "internal" interface so the IPv6 tunnel termination address does not change.

If you have any suggestions or improvements please let me know

In Global mode

Code: [Select]
ip ddns update method <method-name>
  add http://<f.q.d.n>:<password><h>&myip=<a>

Then on the dynamic addressed interface (usually Dialer 1)
Code: [Select]
ip ddns update hostname <f.q.d.n>
 ip ddns update <method-name> host

<method-name> This is the name that you want to give the DDNS update, I usually use
<f.q.d.n>      This is fully qualified domain name that is configured for Dynamic DNS on the control panel
<password>  This is the password for the fully qualified domain name that is configured for Dynamic DNS on the control panel
<h>             This is an internal Cisco IOS variable for the hostname that it gets from the configuration on the interface
<a>             This is an internal Cisco IOS variable for the dynamic address on the interface  

Presuming that the method name is, the hostname being used is and the password is SuperSecretPassword the completed command should look something like this

In Global mode

Code: [Select]
ip ddns update method

Then on the dynamic addressed interface (usually Dialer 1)
Code: [Select]
ip ddns update hostname
 ip ddns update host

To enter a question mark <?> in IOS do ctrl+v then ?  (press and hold ctrl press v, release both, press ?)
Title: Re: IPv4 DDNS for on Cisco IOS
Post by: HQuest on May 15, 2015, 09:19:59 AM
While still "old", this guide is relevant and fully functional, however I have to add one missing link - which made me play for a while today after found out my HE DNS wasn't being updated for quite a while.

As you may know, HE dynamic DNS services are using a self-signed certificate. As such, this certificate needs to be imported to the IOS, or the update process will fail. So all you need to do is:

In configure mode:
Code: [Select]
crypto pki trustpoint <method-name>
 enrollment terminal pem
 revocation-check none
 crl optional

Then, you need to have a copy of the self-signed certificate in a Base-64 encoded X.509 format. You can use your browser to export it. Open this copy in a text editor, copy its content and paste on the following settings:

Code: [Select]
crypto pki authenticate <method-name>
Ipsim Lorem put the text here
you got the idea

It will display the certificate Fingerprints in both MD5 and SHA1 (you can look back on the certificate details to double check if they indeed match), and then ask if you accept the certificate. Type yes, and your are good to save your config.

Recap + sample output - certificate should be valid until a) HE changes the certificate or b) it expires in March 22, 2021.

Code: [Select]
router(config)#crypto pki trustpoint DynDNSHENet
router(ca-trustpoint)#enrollment terminal pem
router(ca-trustpoint)#revocation-check none
router(ca-trustpoint)#crl optional
router(ca-trustpoint)#crypto pki authenticate DynDNSHENet

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
Certificate has the following attributes:
       Fingerprint MD5: C9D04C92 B9A32172 B48C1110 054E3CF6
      Fingerprint SHA1: 3FDE18F7 33EA46C2 CE737287 01FCFFA0 FCF40D06

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

router(config)# _

Hope it helps.
Title: Re: IPv4 DDNS for on Cisco IOS
Post by: gibtrade on April 27, 2016, 06:51:12 AM
Hi I'm trying to replicate this.  As you said, although "old" very relevant and useful.

Unfortunately I'm getting "badauth" although I run the same command on a workstation specifying hostname & IP manually and auth is ok.

Any ideas?

EDIT:  Ok some more investigation and although it looks correct in the config there is something to do with maximum length of the http string.  A shorter password solved my problem.

Hope this saves someone else some head scratching.