• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv4 DDNS for dns.he.net on Cisco IOS

Started by thermionic, July 24, 2012, 06:21:14 AM

Previous topic - Next topic

thermionic

As nobody else has posted this, I thought that I might.

The configuration as below is for IPv4 dynamic addressing as provided by most Internet Service Providers on ADSL or Cable connections.

I have tested the below on a BT FTTC connection which uses PPPoE over VDSL where the PPPoE interface has a dynamic address. The connection also has a routed /29 "behind" the PPPoE dynamic address. As the router has a static public address (from the /29) on its "internal" interface (which then connects to the firewall so the firewall has a public routable address) the he.net IPv6 tunnel is established from the "internal" interface so the IPv6 tunnel termination address does not change.

If you have any suggestions or improvements please let me know

In Global mode


ip ddns update method <method-name>
HTTP
 add http://<f.q.d.n>:<password>@ipv4.dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>


Then on the dynamic addressed interface (usually Dialer 1)

ip ddns update hostname <f.q.d.n>
ip ddns update <method-name> host ipv4.dyn.dns.he.net



<method-name> This is the name that you want to give the DDNS update, I usually use dyn.he.net
<f.q.d.n>      This is fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel
<password>  This is the password for the fully qualified domain name that is configured for Dynamic DNS on the dns.he.net control panel
<h>             This is an internal Cisco IOS variable for the hostname that it gets from the configuration on the interface
<a>             This is an internal Cisco IOS variable for the dynamic address on the interface  

Presuming that the method name is dyn.he.net, the hostname being used is router.domain.com and the password is SuperSecretPassword the completed command should look something like this

In Global mode


ip ddns update method dyn.he.net
HTTP
 add http://router.domain.com:SuperSecretPassword@ipv4.dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>


Then on the dynamic addressed interface (usually Dialer 1)

ip ddns update hostname router.domain.com
ip ddns update dyn.he.net host ipv4.dyn.dns.he.net


To enter a question mark <?> in IOS do ctrl+v then ?  (press and hold ctrl press v, release both, press ?)

HQuest

While still "old", this guide is relevant and fully functional, however I have to add one missing link - which made me play for a while today after found out my HE DNS wasn't being updated for quite a while.

As you may know, HE dynamic DNS services are using a self-signed certificate. As such, this certificate needs to be imported to the IOS, or the update process will fail. So all you need to do is:

In configure mode:
crypto pki trustpoint <method-name>
enrollment terminal pem
revocation-check none
crl optional


Then, you need to have a copy of the self-signed certificate in a Base-64 encoded X.509 format. You can use your browser to export it. Open this copy in a text editor, copy its content and paste on the following settings:

crypto pki authenticate <method-name>
-----BEGIN CERTIFICATE-----
Ipsim Lorem put the text here
you got the idea
-----END CERTIFICATE-----
quit


It will display the certificate Fingerprints in both MD5 and SHA1 (you can look back on the certificate details to double check if they indeed match), and then ask if you accept the certificate. Type yes, and your are good to save your config.

Recap + sample output - certificate should be valid until a) HE changes the certificate or b) it expires in March 22, 2021.

router(config)#crypto pki trustpoint DynDNSHENet
router(ca-trustpoint)#enrollment terminal pem
router(ca-trustpoint)#revocation-check none
router(ca-trustpoint)#crl optional
router(ca-trustpoint)#crypto pki authenticate DynDNSHENet

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIFtjCCA54CCQC5vsyLyslykjANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdGcmVtb250MRswGQYDVQQKExJIdXJy
aWNhbmUgRWxlY3RyaWMxGDAWBgNVBAsTD1NlY3VyZSBTZXJ2aWNlczEXMBUGA1UE
AxMOZHluLmRucy5oZS5uZXQxHjAcBgkqhkiG9w0BCQEWD2Ruc2FkbWluQGhlLm5l
dDAeFw0xMTAzMjYwMzQ4NTJaFw0yMTAzMjMwMzQ4NTJaMIGcMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0ZyZW1vbnQxGzAZBgNVBAoTEkh1cnJp
Y2FuZSBFbGVjdHJpYzEYMBYGA1UECxMPU2VjdXJlIFNlcnZpY2VzMRcwFQYDVQQD
Ew5keW4uZG5zLmhlLm5ldDEeMBwGCSqGSIb3DQEJARYPZG5zYWRtaW5AaGUubmV0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAz5UjeG78+Nym6CdddKRd
WydHm0Hodx02iP1ko6C+DpiU2skjPL5pzzI9SYStzuCBHueIrtA7HKuEBCGyPmDx
N0D95jY7ekOgNxklgviuFISt6HfXTss0G22HjPqkM/GTvTiwyVMQFlgcgbUrP6N9
XwZR0l/Ej2YeFFajNtw2vWNG0DoGGbstfYmqRfvq2n/9Rgmkg4LTkcne4+0uuYXZ
ZNiTcVAOWaGA29OrQ9Vs3bJeMNyEyXoz2sw16EpmXiz5zr1G0hxg5AXIpmvI0jqG
jAOXSzri1KVKA4BI/16tM86GzIAui7wzOKtq9wF1llWHsmU/cb1HmAUbOnjBmDEI
hJ5vFCPjmtmaZxBckvs5SG8NrZw+EwE5GvnTKSJTYpQBfiTTJ9VaGmq55VPrdnUN
CEwI5SRtl2TBr3cVdloRoZ1m6I3ZdBVuI8kSs9zkKxP5iSjt9FLp89J+36CDS6oo
LH5jmhWIc6K1n98BJYnBgAuvENcq/VsnGD2uwfNSoh7qtZ1wLzao6TI4GgnuX4TG
XsVtTNTZp7fHXY2GCgEK29e2VU9SpdmYwv3Gjb1t1m9GDs7XL7lhLqmfoz7pdfJn
r4p6t6QtC0X/epl8V0fpn14ZP1GqIrUE3fJb70wnJga4HG2RdhgVN7eSQ4qz6tpT
J0GMAGllZZA4gf8xrFkWKlkCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAURteQcn0
2C12U335BqtHv2D5LL0V2DUSo0u4ZjHMC06T4/sY05azqsMY1kcRvc9TVMFd1Pik
n5ZqBkSbiF9JYQhUKdzYMSQvGwCulp/pmjan0u1YPgvF+pwcmt/4riOt/1PdviXG
XoeBdvoGuN+gatRAF9eGcxPhk0VqxobMMW5NrOHz8vprl1z/EYqlHDnKCcIGeIeI
awc7eqDnYGCGG9YsoGunbHCKLpSSu6TKUW5FMc4RsLmvxuXMPcOMoiZ++vZT4QwT
ISVgDQRv6azbJWx0kXY3HTAFEJ7Y8S8Cd95qP0BGAOC5TNxF4dUdVEfuS7yk+7EE
FE59uu0xAHiBfKJD8iEUAUrT9jw2odDJGJ0N2pclIwCXAPdZuT1FaROVHKe+rwiA
83n/R1ZbjBUhyQSf0Xr8OGvryT+gZ8IuhADmA20Gpy1FjlZAYQtravVtKXjIpRTA
04m5j3A8zm3dLNCA8oh/1LK4UeJUD/YVz4QVkQdY/jnm3rRWlux21qJIC/9jlJdW
hIKJ/ZABaly+7MRtOiucRs20iXO3vi7rkGr7rdQjserxSsJi8Bj/ohGnBFKF4Syt
n/4OG9LX9F04CYVB4Lf4S1zP299eArfQ4Lpt+dXb85aHP4HGg1Aq9rxVPZcfI6WY
BBV9BRUtZTDY6D39PmUzJhs0GQuBlZHRWNM=
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
       Fingerprint MD5: C9D04C92 B9A32172 B48C1110 054E3CF6
      Fingerprint SHA1: 3FDE18F7 33EA46C2 CE737287 01FCFFA0 FCF40D06

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

router(config)# _


Hope it helps.

gibtrade

#2
Hi I'm trying to replicate this.  As you said, although "old" very relevant and useful.

Unfortunately I'm getting "badauth" although I run the same command on a workstation specifying hostname & IP manually and auth is ok.

Any ideas?


EDIT:  Ok some more investigation and although it looks correct in the config there is something to do with maximum length of the http string.  A shorter password solved my problem.


Hope this saves someone else some head scratching.