Hurricane Electric's IPv6 Tunnel Broker Forums

Hello.

I'm starting to setup IPv6 connectivity on my home using HE.net tunnels. I'm in italy, on a 20mb home adsl with dynamic pubblic IPv4 IP. In such enviroment, it's vital updating the tunnel source in automate fashion.

Here is the code:

First, create an update method to bind to the Dialer interface:

ip ddns update method he-ipv6
HTTP
  add https://ipv4.tunnelbroker.net/ipv4_end.phpipv4b=<a>&pass=___MD5PASS___&user_id=___USERID___&tunnel_id=___TUNNEL_ID___
interval maximum 15 0 0 0
!

You can use either "<a>" or AUTO. Using <a>, the url is rewritten by IOS using the binded interface address (my Dialer0), "AUTO" let he.net use the ipv4 address that sourced the request.
MD5PASS,USERID,TUNNELID are your own values.

Then bind the ddns update to the interface:

interface Dialer0
description Interfaccia Dialer 20Mb
ip ddns update he-ipv6
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp pap sent-username aliceadsl password 7 00000000000000000000
!


For dynamic ipv4 users like me, it's a good idea to change the he.net supplied snipped:

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address my_routed64/64
ipv6 enable
tunnel source Dialer0
tunnel destination 216.66.80.26
tunnel mode ipv6ip
!

As you can see, i changed the "tunnel source" to match my dialing interface.

Now you need to setup the Vlan1 interface to use your routed-64 or routed-48.

I hope this will help someone :)

See Ya

Luca what exact command are you using on the update method?
Im asking this, becouse the link to update the ip has a "?" and IOS doesnt accept this since "?" its the help command.
Im trying to use a ascii table to find the value for "?" and do this but havent got any results so far.
What else can be done so that the router updates the ip by itself ?

Cheers

You must press CTRL+V prior inserting the question mark. Then the "?" will no longer bring you to the contextual help.

see Ya

Im struggling with this also guys, could you confirm that the user id is the long string on the main tunnel broker page and also do we need to put the password in as plain text or do we need to run it through a hash creater and then type the actual hash in place of the password?

I have tried always and dont seem to be having any luck  >:(

Here is what im using   add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=<a>&pass=420cd5c188d6****1401a2345042e2d5&user_id=7f24b5fa534cd76****1745b0ee4b983&tunnel_id=4****


Thanks Shaun

you must hash the password without the endline...

echo -n mypassword | md5sum

does it work now?

try load the url in the browser

Thanks for the reply but i dont really get what you mean? could you maybe show me an example of what you mean

Thanks Shaun

If you paste the url in your browser window, it gives you something like "username & password mismatch" or "endpoint successfully updated".

What did you get?

See Ya

Doh, I think this is where the problem is, the url takes me to "There is a problem with this website's security certificate" if i click to continue it updates fine. Any ideas how i can get the router to bypass the page that come up with the certificate warning as this is wear the router is abourting the connection and not updating my ip address to the tunnel broker, i also have not got a clue when it comes to certificates  :o

Thanks for your help so far, much appreciated

I noticed a couple things when trying this:

1. If I try the update with non-secure http - the IOS ddns updater will not use an appropriate hostname in the HTTP GET request Host field to the server.  Instead of using the provided ipv4.tunnelbroker.net hostname, it is using the ip address 64.85.73.40 and the server rejects this request as unknown.

2. tunnelbroker.net uses a self-signed certificate.  IOS is only able to load CA root certificates, not the resulting signed certificates.  There is no way to load the certificate the website presents to allow for IOS to accept the connection.  Without accepting the connection an error is presented (seen by enabling debug ip ddns update):  Nov  2 2009 19:01:38.378 CST: HTTPDNSUPD: Call returned Request Aborted, update of testhost.gawul.net <=> 216.165.xxx.xxx failed

I should have noted - I was testing on a 1721 router, not an 877

Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.4(25b)

If you can't directly get the https page, put this php script somewhere and call it.

It's just some php script taken and rapidly adapted.

Let me know if you find it useful :)

See Ya

Actually there is a way to load the self-signed certificate from tunnelbroker's website and make ddns update method work over HTTPS.
Tested on 12.4(20)-12.4(24).

crypto pki trustpoint tunnelbroker
 enrollment terminal pem
 revocation-check none
!
crypto pki certificate chain tunnelbroker
 certificate ca 00BC201A57EBB49897
  308202B1 3082021A 020900BC 201A57EB B4989730 0D06092A 864886F7 0D010104
  05003081 9C310B30 09060355 04061302 55533113 30110603 55040813 0A43616C
  69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030 1E060355
  040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331 0D300B06
  0355040B 13044950 56363119 30170603 55040313 1074756E 6E656C62 726F6B65
  722E6E65 74311A30 1806092A 864886F7 0D010901 160B696E 666F4068 652E6E65
  74301E17 0D303730 37313130 31333533 315A170D 31373037 30383031 33353331
  5A30819C 310B3009 06035504 06130255 53311330 11060355 0408130A 43616C69
  666F726E 69613110 300E0603 55040713 07467265 6D6F6E74 3120301E 06035504
  0A131748 75727269 63616E65 20456C65 63747269 632C204C 4C43310D 300B0603
  55040B13 04495056 36311930 17060355 04031310 74756E6E 656C6272 6F6B6572
  2E6E6574 311A3018 06092A86 4886F70D 01090116 0B696E66 6F406865 2E6E6574
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D7247C
  252A7E69 754A8501 9186608F 2C96E4BE 96E4B636 28A17A56 535C01A4 13C86B96
  44B75E3D C060B927 75D5A072 84D754C9 48F4B2B4 B4440C3D 904857F4 178D71EA
  1EF84E6F 88684F5E 30F956F2 48F45718 3A9489A9 096019CD 15988847 C380E750
  3033DFA9 5191A434 400960C5 C4F9387C 7AEB5AF3 3C633D2D 241208C6 6F020301
  0001300D 06092A86 4886F70D 01010405 00038181 00554596 289633CD 361C3A98
  968BDE20 939975C9 D786942E 6269C380 71C2F4F0 1A74E55C 63376492 60684350
  0F49FBA0 90711CEF 373FBF38 E232556C EB63C56A A1718BAF 760A49C6 0A7C320A
  7F879BF3 C55B1F98 9CEC8D2C 28E2DA83 986D366B 7BDEE7E6 264AACE9 3F84964E
  CBB6ECC5 135D9945 A0CB4BAB BA08B7DF 517DCBB7 1F
        quit
!
ip ddns update method tunnelbroker
 HTTP
  add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=MD5PASS&user_id=USERID&tunnel_id=GTUNID
 interval maximum 1 0 0 0
 interval minimum 1 0 0 0
!
interface Tunnel0
 ip ddns update tunnelbroker

That's workable I guess.  It'd be nicer if they simply gave you a way to automatically accept self-signed (or other problem) certs based on the URL or something like that without having the embed it statically into the config.

pkorovin,

How did you add this certificate initially?  I kept getting an error that the router did not like the first line of the certificate that I was pulling down from the tunnelbroker website.

gawul00,

Since the certificate is self-signed, I accepted the security exception in Firefox & exported the certificate from the browser store to Base-64 encoded X.509 (.CER). Then I enrolled it from terminal (via copy-paste) on Cisco router.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html#wp1073636 (http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html#wp1073636)

Thanks, that worked like a charm.  I pulled some other cisco site info that led me down the wrong path previously.

This is a good script, but for those like me who use mainly Windows I have created the following application to detect when the IP changes and update the tunnel IP Address automatically.

You can find more details here: http://www.iannet.org/apps/TunnelBrokerUpdate (http://www.iannet.org/apps/TunnelBrokerUpdate)

ps: Requirements Microsoft .NET Framework 2.0

Feel free to drop any comments and suggestions
Ian

Hello all,
i have looked for this like two months ago without success. I'm now making some tests using https protocol and i want to thank you to pkorovin for the certificate import procedure and lucagervasi for starting this post. Anyway, a time i tried to update it by http only. And sometimes it worked and sometimes not. If someone wanna make some test to avoid the use of that certificate it's welcome. I'm using a Cisco 877 with 12.4(15)T11.
If someone is interested i'll let you know if https works fine with this IOS release.

Goodbye

Sandro

Is the router date "up-to-date" ?

The certificate has a not-before and not-after date of validity. If the router date is incorrect, you can "invalidate" an otherwise valid certificate.

Try using ntp.

Greetings.

Luca

Yes of course. I'm using ntp servers from sixxs.
Now with https looks fine, i'll check it for some days. Then i'll try again with http only. If you try by hand from the browser you'll see that http it's fine too to upgrade the endpoint ip.ù

Goodbye

Sandro

It works on a Cisco 871 with the following IOS:-
show ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 18:42 by prod_rel_team

It took a while to get the User_ID and Tunnel_ID worked out.
There is a HE.NET URL that gives you the info
https://ipv4.tunnelbroker.net/ipv4_end.php

Please use the format https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID
Where:

$IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client's IP address)
$MD5PASS = The MD5 Hash of your password
$USERID = The UserID from the main page of the tunnelbroker (not your username)
$GTUNID = The Global Tunnel ID from the tunnel_details page

Quote from: iannet on December 14, 2009, 01:35:38 PM
This is a good script, but for those like me who use mainly Windows I have created the following application to detect when the IP changes and update the tunnel IP Address automatically.

You can find more details here: http://www.iannet.org/apps/TunnelBrokerUpdate (http://www.iannet.org/apps/TunnelBrokerUpdate)

ps: Requirements Microsoft .NET Framework 2.0

Feel free to drop any comments and suggestions
Ian

I would like to make a couple of suggestions for your program, if I can...

The first is to make an actual installer, so people don't have to constantly run it from the zip file (or its extracted location).  The second is to create an autostart with Windows (or run as a service).

Also, is the source code available for the program?  I may be able to update it to VS10 if you are interested.

Have a great day:)
Patrick.

Excellent instructions. Of course, you also need

ipv6 route ::/0 tunnel0

Took me a moment to realise this :-)

If you have trouble using https, you can also use http to update the endpoint ip.
Here is a part of my config (tested on a cisco 1941).


ip ddns update method tunnelbroker
HTTP
 add http://ipv4.tunnelbroker.net/ipv4_end.php?ip=<a>&pass=__MD5PASS__&apikey=__USERID__&tid=__GTUNID__
!
interface Dialer1
ip ddns update tunnelbroker


You will have to replace __MD5PASS__, __USERID__ and __GTUNID__ with your values. <a> will be replaced by IOS with the IP of the associated dialer interface. This seems to be a quite simple way although it might be vulnerable for replay attacks if somebody captures the http request.

regards
David

I can confirm this is working on my Cisco 1811 IOS. 12.4(22)T3


And it looks like ipv4.tunnelbroker.net had its self-signed certificate renewed on May 22nd, 2011...


The following is the new cisco code to install the self-signed cert onto your router. Hope this helps...

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
        quit
!
!



It's also working for me with 15.1(2)T on an 877. I found that I had to specify "ip ddns update hostname" on the interface, even though it's not really needed for the HTTP update.   I'm using the manually-applied certificate that someone provided in a previous post in this thread.


ip ddns update method he-ipv6
HTTP
 add https://ipv4.tunnelbroker.net/ipv4_end.php?ip=AUTO&pass=0000deadbeeef....&apikey=00000cafe.........&tid=12345
interval maximum 28 0 0 0
interval minimum 7 0 0 0

interface ATM0.1 point-to-point
ip ddns update hostname something.dyndns-at-home.com
ip ddns update he-ipv6
ip address dhcp
ip access-group v4in in
no ip proxy-arp
ip nat outside
ip inspect myfw out
ip virtual-reassembly in
atm route-bridged ip
pvc 0/101
 oam-pvc manage
 encapsulation aal5snap
!


How to import the certificate from '$ openssl s_client -connect ipv4.tunnelbroker.net:443' with correct flags into the router ?
It does not work on my 1721 (IOS 12.4-15.T14) with 'crypto pki authenticate tunnelbroker' and pasting the certificate.
The debug options for ddns and crypto pki are set. Most interesting thing in the debug output: 'CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment'.
After a 'clear int dial0' to get a new dynamic ipv4, the ddns update fails with 'CRYPTO_PKI: Can't find encryption certificate for trustpoint (tunnelbroker)' then 'HTTPDNSUPD: Call returned Request Aborted for update [my hostname] <=> [my ipv4]' between lots of debug lines.
Where to tell the cert is to be used for encryption ?

I just noticed today that 2 of my sites are no longer updating the endpoints properly.
One is a c2801 and the other is a c1811 running 15.1(4)M

Here's a snippet from one of the routers.

I'm not too sure what the issue is here. Perhaps the SSLv3 negotiation isn't handshaking properly?....
Kinda at a loss, let me know if you guys have any ideas.

000715: *Dec 13 13:32:40.327 PCTime: DYNDNSUPD: Adding DNS mapping for tor1 <=> 50.100.x.x
000716: *Dec 13 13:32:40.327 PCTime: HTTPDNS: Update add called for tor1 <=> 50.100.x.x
000717: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: Session ID = 0x3C
000718: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: URL = 'https://ipv4.tunnelbroker.net/ipv4_end.php?pass=----&apikey=----&tid=----'
000719: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: Sending request
000720: *Dec 13 13:32:40.663 PCTime: opssl_SetPKIInfo entry
000721: *Dec 13 13:32:40.663 PCTime: opssl_SetPKIInfo done.
000722: *Dec 13 13:32:40.663 PCTime: Handshake start: before/connect initialization
000723: *Dec 13 13:32:40.663 PCTime: SSL_connect:before/connect initialization
000724: *Dec 13 13:32:40.667 PCTime: SSL_connect:SSLv3 write client hello A
000725: *Dec 13 13:32:40.667 PCTime: SSL_connect:would block on read in SSLv3 read server hello A
000726: *Dec 13 13:32:40.755 PCTime: SSL_connect:SSLv3 read server hello A
000727: *Dec 13 13:32:40.755 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000728: *Dec 13 13:32:40.755 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000729: *Dec 13 13:32:40.839 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000730: *Dec 13 13:32:40.839 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000731: *Dec 13 13:32:40.843 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000732: *Dec 13 13:32:40.863 PCTime: SSL3 alert write:fatal:bad certificate
000733: *Dec 13 13:32:40.863 PCTime: SSL_connect:error in SSLv3 read server certificate C
000734: *Dec 13 13:32:40.863 PCTime: 0:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_clnt.c:1007:                                                                                               000735: *Dec 13 13:32:40.863 PCTime: HTTPDNSUPD: Call returned Request Aborted, update of tor1.dyn.oaky.net <=> 50.100.184.24 failed
000736: *Dec 13 13:32:40.863 PCTime: DYNDNSUPD: Another update completed (outstanding=0, total=0)
000737: *Dec 13 13:32:40.867 PCTime: HTTPDNSUPD: Clearing all session 60 info
charTO#
charTO#
charTO#
charTO#show debug

Dynamic DNS debugging is on

ssl openssl:
  TLS state debugging is on
  TLS errors debugging is on

charTO#show run | sec ip ddns
ip ddns update method HEipv6TUN
HTTP
  add https://ipv4.tunnelbroker.net/ipv4_end.php?pass=----&apikey=---&tid=----
interval maximum 0 0 1 0

charTO#show run


crypto pki trustpoint hurricane
enrollment terminal pem
revocation-check none

crypto pki certificate chain hurricane
certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
        quit
!
!


I believe we replaced the self signed SSL certificate for tunnelbroker.net with a proper one from a CA.  This may or may not be related.

You are correct, I didn't notice that the CA certificate was updated in November.

I did the copy/paste method as described in a previous post to copy/paste the certificate exported via FF.

I don't understand why it didn't work. So I did a little digging and imported/inserted the CA's certificate and it worked.

I exported it via # openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443
and then did the copy/and paste into IOS.

Here is the new working cert code you can just copy into your running config.

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 01
  308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430
  22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477
  6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033
  06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056
  616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874
  74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886
  F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036
  32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206
  03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72
  6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603
  55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C
  69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470
  3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D
  01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648
  86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8
  740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25
  4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185
  543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412
  BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886
  F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281
  F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE
  218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21
  8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8
  BEED744C BC5BD562 1F43DD
        quit
!
!