• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Help Needed with DDNS / IPv6 on Cisco Router

Started by aquilla, November 22, 2014, 04:15:37 AM

Previous topic - Next topic


Morning Guys,

Forgive my post begging for help but I hope someone can help me / point out what I'm doing wrong.

I've had a HE IPv6 tunnel for a few years and previous had it working on a Cisco 877 with a static IP until about a year ago.  My 877 died and in the interim I've been using a Draytek.  Anyway, I now have a Cisco 887VA and also a dynamic IP.

I'm having a problem getting the Cisco router to update the IP via a DDNS URL.  I've added the root CA certificate the Cisco box however it still fails.  I've been searching on these forums and Google but am still having problems hence my post here.

The "Call returned Request Aborted" in the debug logs suggests it still has a problem with the SSL certificate but I can't understand why.

Edit: When I copy the URL and paste it into a browser, it works and the end point IP address is updated so I know the URL is good.

Any input greatly appreciated.

SSL Certificate

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
crypto pki certificate chain tunnelbroker
certificate ca 00
  3082040F 308202F7 A0030201 02020100 300D0609 2A864886 F70D0101 05050030
  68310B30 09060355 04061302 55533125 30230603 55040A13 1C537461 72666965
  6C642054 6563686E 6F6C6F67 6965732C 20496E63 2E313230 30060355 040B1329
  53746172 6669656C 6420436C 61737320 32204365 72746966 69636174 696F6E20
  41757468 6F726974 79301E17 0D303430 36323931 37333931 365A170D 33343036
  32393137 33393136 5A306831 0B300906 03550406 13025553 31253023 06035504
  0A131C53 74617266 69656C64 20546563 686E6F6C 6F676965 732C2049 6E632E31
  32303006 0355040B 13295374 61726669 656C6420 436C6173 73203220 43657274
  69666963 6174696F 6E204175 74686F72 69747930 82012030 0D06092A 864886F7
  0D010101 05000382 010D0030 82010802 82010100 B732C8FE E971A604 85AD0C11
  64DFCE4D EFC80318 873FA1AB FB3CA69F F0C3A1DA D4D86E2B 5390FB24 A43E84F0
  9EE85FEC E52744F5 28A63F7B DEE02AF0 C8AF532F 9ECA0501 931E8F66 1C39A74D
  FA5AB673 042566EB 777FE759 C64A9925 1454EB26 C7F37F19 D530708F AFB0462A
  FFADEB29 EDD79FAA 0487A3D4 F989A534 5FDB4391 8236D966 3CB1B8B9 82FD9C3A
  3E10C83B EF066566 7A9B1918 3DFF7151 3C302E5F BE3D7773 B25D066C C323569A
  2B852692 1CA702B3 E43F0DAF 087982B8 363DEA9C D335B3BC 69CAF5CC 9DE8FD64
  8D178033 6E5E4A5D 99C91E87 B49D1AC0 D56E1335 235EDF9B 5F3DEFD6 F776C2EA
  3EBB780D 1C42676B 04D8F8D6 DA6F8BF2 44A001AB 020103A3 81C53081 C2301D06
  03551D0E 04160414 BF5FB7D1 CEDD1F86 F45B55AC DCD710C2 0EA988E7 30819206
  03551D23 04818A30 81878014 BF5FB7D1 CEDD1F86 F45B55AC DCD710C2 0EA988E7
  A16CA46A 3068310B 30090603 55040613 02555331 25302306 0355040A 131C5374
  61726669 656C6420 54656368 6E6F6C6F 67696573 2C20496E 632E3132 30300603
  55040B13 29537461 72666965 6C642043 6C617373 20322043 65727469 66696361
  74696F6E 20417574 686F7269 74798201 00300C06 03551D13 04053003 0101FF30
  0D06092A 864886F7 0D010105 05000382 01010005 9D3F889D D1C91A55 A1AC69F3
  F359DA9B 01871A4F 57A9A179 092ADBF7 2FB21ECC C75E6AD8 8387A197 EF49353E
  77064158 62BF8E58 B80A673F ECB3DD21 661FC954 FA72CC3D 4C40D881 AF779E83
  7ABBA2C7 F534178E D91140F4 FC2C2A4D 157FA762 5D2E25D3 000B201A 1D68F917
  B8F4BD8B ED2859DD 4D168B17 83C8B265 C72D7AA5 AABC5386 6DDD57A4 CAF82041
  0B68F0F4 FB74BE56 5D7A79F5 F91D85E3 2D95BEF5 719043CC 8D1F9A00 0A8729E9
  55225800 23EAE312 43295B47 08DD8C41 6A6506A8 E521AA41 B4952195 B97DD134
  AB13D6AD BCDCE23D 39CDBD3E 7570A118 5903C922 B48F9CD5 5E2AD7A5 B6D40A6D
  F8B74011 469A1F79 0E62BF0F 97ECE02F 1F1794

ip ddns update method Tunnelbroker
  add https://<removed>:<removed>@ipv4.tunnelbroker.net/ipv4_end.php?tid=<removed>
interval maximum 0 1 0 0
interface Dialer1
ip ddns update hostname ddns.<removed>
ip ddns update Tunnelbroker

Debug Logs

Nov 22 2014 12:11:11.547 GMT: DYNDNSUPD: Adding DNS mapping for ddns.<removed> <=> 94.x.x.x
Nov 22 2014 12:11:11.547 GMT: HTTPDNS: Update add called for ddns.<removed> <=> 94.x.x.x
Nov 22 2014 12:11:11.547 GMT: HTTPDNSUPD: Session ID = 0xB
Nov 22 2014 12:11:11.547 GMT: HTTPDNSUPD: URL = 'https://<removed>:<removed>@ipv4.tunnelbroker.net/ipv4_end.php?tid=<removed>'
Nov 22 2014 12:11:11.547 GMT: HTTPDNSUPD: Sending request
Nov 22 2014 12:11:11.911 GMT: HTTPDNSUPD: Call returned Request Aborted, update of ddns.<removed> <=> 94.x.x.x failed
Nov 22 2014 12:11:11.911 GMT: DYNDNSUPD: Another update completed (outstanding=0, total=0)
Nov 22 2014 12:11:11.911 GMT: HTTPDNSUPD: Clearing all session 11 info



Haven't managed to get dynamic updates working from the router but have got a workaround.  I've got a dynamic hostname which accepts updates via HTTP so I've configured this on the router and it updates.  I have also written a basic bash script which checks the IP of the dynamic hostname every xx minutes, and if it's changed, it will update my endpoint IP via a URL.

I'll admit it's not pretty, but it get's my IPv6 tunnel working with a dynamic IP until I can figure out what's going on with the SSL certificates on the router.



same problem on my IOS 12.4-15-T14 routers, have been working for a few years then ddns stopped working.
I removed the certificate, then re-added it the following config commands, but it did not help.
crypto pki trustpoint tunnelbroker
enrollment terminal
crypto pki authenticate tunnelbroker
[paste first CA cert downloaded with 'openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443']
[enter new line and accept new cert]

Setting some crypto pki debug flags showed the following message:
CRYPTO_PKI: Can't find encryption certificate for trustpoint (tunnelbroker)
CRYPTO_PKI: unlocked trustpoint tunnelbroker, refcount is 0

What has changed that IOS does not like ? Is there a way to enroll a chain of all the certs
output by the openssl command, or only an encryption cert, and which one to choose ?


I get the same problem, with the new api: https://ipv4.tunnelbroker.net/nic/update

The ddns update function worked well on my cisco 1841 for several months, and it failed since one day in Q4 2014.

Can anyone help?


It's because they're using a self-signed certificate. They need to fix this. It is an unimaginable pain in the ass to make most systems accept a self-signed cert.

[edit] and the http secure client is 100% b0rk3d. (it won't connect to anything. even itself!)


I have self-signed CA certificate and I don't see a problem.  All that is necessary is to provide a method for downloading it.  I do so on the site's HTTP document-root resource page.  On my co-located server, I have a service that will autofetch PGP keys from a key server.  X.509 shouldn't be significantly different.  The problem is that many/most people don't know how to publish their public keys.


Please see this thread - https://forums.he.net/index.php?topic=2527. It covers the whole setup, including the self-signed SSL certificate "workaround".