• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Autoupdate tunnel ptp on Cisco platforms (IOS 12.4 on c877 tested)

Started by lucagervasi, October 11, 2009, 07:21:48 AM

Previous topic - Next topic

gawul00

Thanks, that worked like a charm.  I pulled some other cisco site info that led me down the wrong path previously.

iannet

This is a good script, but for those like me who use mainly Windows I have created the following application to detect when the IP changes and update the tunnel IP Address automatically.

You can find more details here: http://www.iannet.org/apps/TunnelBrokerUpdate

ps: Requirements Microsoft .NET Framework 2.0

Feel free to drop any comments and suggestions
Ian

smanet

Hello all,
i have looked for this like two months ago without success. I'm now making some tests using https protocol and i want to thank you to pkorovin for the certificate import procedure and lucagervasi for starting this post. Anyway, a time i tried to update it by http only. And sometimes it worked and sometimes not. If someone wanna make some test to avoid the use of that certificate it's welcome. I'm using a Cisco 877 with 12.4(15)T11.
If someone is interested i'll let you know if https works fine with this IOS release.

Goodbye

Sandro

lucagervasi

Is the router date "up-to-date" ?

The certificate has a not-before and not-after date of validity. If the router date is incorrect, you can "invalidate" an otherwise valid certificate.

Try using ntp.

Greetings.

Luca

smanet

Yes of course. I'm using ntp servers from sixxs.
Now with https looks fine, i'll check it for some days. Then i'll try again with http only. If you try by hand from the browser you'll see that http it's fine too to upgrade the endpoint ip.รน

Goodbye

Sandro

jhawkes

It works on a Cisco 871 with the following IOS:-
show ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 18:42 by prod_rel_team

It took a while to get the User_ID and Tunnel_ID worked out.
There is a HE.NET URL that gives you the info
https://ipv4.tunnelbroker.net/ipv4_end.php

Please use the format https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID
Where:

$IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client's IP address)
$MD5PASS = The MD5 Hash of your password
$USERID = The UserID from the main page of the tunnelbroker (not your username)
$GTUNID = The Global Tunnel ID from the tunnel_details page

PatrickDickey

Quote from: iannet on December 14, 2009, 01:35:38 PM
This is a good script, but for those like me who use mainly Windows I have created the following application to detect when the IP changes and update the tunnel IP Address automatically.

You can find more details here: http://www.iannet.org/apps/TunnelBrokerUpdate

ps: Requirements Microsoft .NET Framework 2.0

Feel free to drop any comments and suggestions
Ian

I would like to make a couple of suggestions for your program, if I can...

The first is to make an actual installer, so people don't have to constantly run it from the zip file (or its extracted location).  The second is to create an autostart with Windows (or run as a service).

Also, is the source code available for the program?  I may be able to update it to VS10 if you are interested.

Have a great day:)
Patrick.

candlerb

Excellent instructions. Of course, you also need

ipv6 route ::/0 tunnel0

Took me a moment to realise this :-)

dfroe

If you have trouble using https, you can also use http to update the endpoint ip.
Here is a part of my config (tested on a cisco 1941).


ip ddns update method tunnelbroker
HTTP
 add http://ipv4.tunnelbroker.net/ipv4_end.php?ip=<a>&pass=__MD5PASS__&apikey=__USERID__&tid=__GTUNID__
!
interface Dialer1
ip ddns update tunnelbroker


You will have to replace __MD5PASS__, __USERID__ and __GTUNID__ with your values. <a> will be replaced by IOS with the IP of the associated dialer interface. This seems to be a quite simple way although it might be vulnerable for replay attacks if somebody captures the http request.

regards
David

hestonk

I can confirm this is working on my Cisco 1811 IOS. 12.4(22)T3


And it looks like ipv4.tunnelbroker.net had its self-signed certificate renewed on May 22nd, 2011...


The following is the new cisco code to install the self-signed cert onto your router. Hope this helps...

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
        quit
!
!


trevorwarwick

It's also working for me with 15.1(2)T on an 877. I found that I had to specify "ip ddns update hostname" on the interface, even though it's not really needed for the HTTP update.   I'm using the manually-applied certificate that someone provided in a previous post in this thread.


ip ddns update method he-ipv6
HTTP
 add https://ipv4.tunnelbroker.net/ipv4_end.php?ip=AUTO&pass=0000deadbeeef....&apikey=00000cafe.........&tid=12345
interval maximum 28 0 0 0
interval minimum 7 0 0 0

interface ATM0.1 point-to-point
ip ddns update hostname something.dyndns-at-home.com
ip ddns update he-ipv6
ip address dhcp
ip access-group v4in in
no ip proxy-arp
ip nat outside
ip inspect myfw out
ip virtual-reassembly in
atm route-bridged ip
pvc 0/101
 oam-pvc manage
 encapsulation aal5snap
!


Ne3s23p2

How to import the certificate from '$ openssl s_client -connect ipv4.tunnelbroker.net:443' with correct flags into the router ?
It does not work on my 1721 (IOS 12.4-15.T14) with 'crypto pki authenticate tunnelbroker' and pasting the certificate.
The debug options for ddns and crypto pki are set. Most interesting thing in the debug output: 'CRYPTO-PKI: Cert has the following key-usage flags: Digital-Signature, Key-Encipherment'.
After a 'clear int dial0' to get a new dynamic ipv4, the ddns update fails with 'CRYPTO_PKI: Can't find encryption certificate for trustpoint (tunnelbroker)' then 'HTTPDNSUPD: Call returned Request Aborted for update [my hostname] <=> [my ipv4]' between lots of debug lines.
Where to tell the cert is to be used for encryption ?

hestonk

I just noticed today that 2 of my sites are no longer updating the endpoints properly.
One is a c2801 and the other is a c1811 running 15.1(4)M

Here's a snippet from one of the routers.

I'm not too sure what the issue is here. Perhaps the SSLv3 negotiation isn't handshaking properly?....
Kinda at a loss, let me know if you guys have any ideas.

000715: *Dec 13 13:32:40.327 PCTime: DYNDNSUPD: Adding DNS mapping for tor1 <=> 50.100.x.x
000716: *Dec 13 13:32:40.327 PCTime: HTTPDNS: Update add called for tor1 <=> 50.100.x.x
000717: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: Session ID = 0x3C
000718: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: URL = 'https://ipv4.tunnelbroker.net/ipv4_end.php?pass=----&apikey=----&tid=----'
000719: *Dec 13 13:32:40.327 PCTime: HTTPDNSUPD: Sending request
000720: *Dec 13 13:32:40.663 PCTime: opssl_SetPKIInfo entry
000721: *Dec 13 13:32:40.663 PCTime: opssl_SetPKIInfo done.
000722: *Dec 13 13:32:40.663 PCTime: Handshake start: before/connect initialization
000723: *Dec 13 13:32:40.663 PCTime: SSL_connect:before/connect initialization
000724: *Dec 13 13:32:40.667 PCTime: SSL_connect:SSLv3 write client hello A
000725: *Dec 13 13:32:40.667 PCTime: SSL_connect:would block on read in SSLv3 read server hello A
000726: *Dec 13 13:32:40.755 PCTime: SSL_connect:SSLv3 read server hello A
000727: *Dec 13 13:32:40.755 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000728: *Dec 13 13:32:40.755 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000729: *Dec 13 13:32:40.839 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000730: *Dec 13 13:32:40.839 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000731: *Dec 13 13:32:40.843 PCTime: SSL_connect:would block on read in SSLv3 read server certificate A
000732: *Dec 13 13:32:40.863 PCTime: SSL3 alert write:fatal:bad certificate
000733: *Dec 13 13:32:40.863 PCTime: SSL_connect:error in SSLv3 read server certificate C
000734: *Dec 13 13:32:40.863 PCTime: 0:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_clnt.c:1007:                                                                                               000735: *Dec 13 13:32:40.863 PCTime: HTTPDNSUPD: Call returned Request Aborted, update of tor1.dyn.oaky.net <=> 50.100.184.24 failed
000736: *Dec 13 13:32:40.863 PCTime: DYNDNSUPD: Another update completed (outstanding=0, total=0)
000737: *Dec 13 13:32:40.867 PCTime: HTTPDNSUPD: Clearing all session 60 info
charTO#
charTO#
charTO#
charTO#show debug

Dynamic DNS debugging is on

ssl openssl:
  TLS state debugging is on
  TLS errors debugging is on

charTO#show run | sec ip ddns
ip ddns update method HEipv6TUN
HTTP
  add https://ipv4.tunnelbroker.net/ipv4_end.php?pass=----&apikey=---&tid=----
interval maximum 0 0 1 0

charTO#show run


crypto pki trustpoint hurricane
enrollment terminal pem
revocation-check none

crypto pki certificate chain hurricane
certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
        quit
!
!

mleber


I believe we replaced the self signed SSL certificate for tunnelbroker.net with a proper one from a CA.  This may or may not be related.

hestonk

You are correct, I didn't notice that the CA certificate was updated in November.

I did the copy/paste method as described in a previous post to copy/paste the certificate exported via FF.

I don't understand why it didn't work. So I did a little digging and imported/inserted the CA's certificate and it worked.

I exported it via # openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443
and then did the copy/and paste into IOS.

Here is the new working cert code you can just copy into your running config.

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 01
  308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430
  22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477
  6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033
  06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056
  616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874
  74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886
  F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036
  32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206
  03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72
  6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603
  55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C
  69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470
  3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D
  01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648
  86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8
  740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25
  4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185
  543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412
  BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886
  F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281
  F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE
  218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21
  8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8
  BEED744C BC5BD562 1F43DD
        quit
!
!