• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Autoupdate tunnel ptp on Cisco platforms (IOS 12.4 on c877 tested)

Started by lucagervasi, October 11, 2009, 07:21:48 AM

Previous topic - Next topic



I'm starting to setup IPv6 connectivity on my home using HE.net tunnels. I'm in italy, on a 20mb home adsl with dynamic pubblic IPv4 IP. In such enviroment, it's vital updating the tunnel source in automate fashion.

Here is the code:

First, create an update method to bind to the Dialer interface:

ip ddns update method he-ipv6
  add https://ipv4.tunnelbroker.net/ipv4_end.phpipv4b=<a>&pass=___MD5PASS___&user_id=___USERID___&tunnel_id=___TUNNEL_ID___
interval maximum 15 0 0 0

You can use either "<a>" or AUTO. Using <a>, the url is rewritten by IOS using the binded interface address (my Dialer0), "AUTO" let he.net use the ipv4 address that sourced the request.
MD5PASS,USERID,TUNNELID are your own values.

Then bind the ddns update to the interface:

interface Dialer0
description Interfaccia Dialer 20Mb
ip ddns update he-ipv6
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp pap sent-username aliceadsl password 7 00000000000000000000

For dynamic ipv4 users like me, it's a good idea to change the he.net supplied snipped:

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address my_routed64/64
ipv6 enable
tunnel source Dialer0
tunnel destination
tunnel mode ipv6ip

As you can see, i changed the "tunnel source" to match my dialing interface.

Now you need to setup the Vlan1 interface to use your routed-64 or routed-48.

I hope this will help someone :)

See Ya


Luca what exact command are you using on the update method?
Im asking this, becouse the link to update the ip has a "?" and IOS doesnt accept this since "?" its the help command.
Im trying to use a ascii table to find the value for "?" and do this but havent got any results so far.
What else can be done so that the router updates the ip by itself ?



You must press CTRL+V prior inserting the question mark. Then the "?" will no longer bring you to the contextual help.

see Ya


Im struggling with this also guys, could you confirm that the user id is the long string on the main tunnel broker page and also do we need to put the password in as plain text or do we need to run it through a hash creater and then type the actual hash in place of the password?

I have tried always and dont seem to be having any luck  >:(

Here is what im using   add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=<a>&pass=420cd5c188d6****1401a2345042e2d5&user_id=7f24b5fa534cd76****1745b0ee4b983&tunnel_id=4****

Thanks Shaun


you must hash the password without the endline...

echo -n mypassword | md5sum

does it work now?

try load the url in the browser


Thanks for the reply but i dont really get what you mean? could you maybe show me an example of what you mean

Thanks Shaun


If you paste the url in your browser window, it gives you something like "username & password mismatch" or "endpoint successfully updated".

What did you get?

See Ya


Doh, I think this is where the problem is, the url takes me to "There is a problem with this website's security certificate" if i click to continue it updates fine. Any ideas how i can get the router to bypass the page that come up with the certificate warning as this is wear the router is abourting the connection and not updating my ip address to the tunnel broker, i also have not got a clue when it comes to certificates  :o

Thanks for your help so far, much appreciated


I noticed a couple things when trying this:

1. If I try the update with non-secure http - the IOS ddns updater will not use an appropriate hostname in the HTTP GET request Host field to the server.  Instead of using the provided ipv4.tunnelbroker.net hostname, it is using the ip address and the server rejects this request as unknown.

2. tunnelbroker.net uses a self-signed certificate.  IOS is only able to load CA root certificates, not the resulting signed certificates.  There is no way to load the certificate the website presents to allow for IOS to accept the connection.  Without accepting the connection an error is presented (seen by enabling debug ip ddns update):  Nov  2 2009 19:01:38.378 CST: HTTPDNSUPD: Call returned Request Aborted, update of testhost.gawul.net <=> 216.165.xxx.xxx failed


I should have noted - I was testing on a 1721 router, not an 877

Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.4(25b)


If you can't directly get the https page, put this php script somewhere and call it.

It's just some php script taken and rapidly adapted.

Let me know if you find it useful :)

See Ya


Actually there is a way to load the self-signed certificate from tunnelbroker's website and make ddns update method work over HTTPS.
Tested on 12.4(20)-12.4(24).

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
crypto pki certificate chain tunnelbroker
certificate ca 00BC201A57EBB49897
  308202B1 3082021A 020900BC 201A57EB B4989730 0D06092A 864886F7 0D010104
  05003081 9C310B30 09060355 04061302 55533113 30110603 55040813 0A43616C
  69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030 1E060355
  040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331 0D300B06
  0355040B 13044950 56363119 30170603 55040313 1074756E 6E656C62 726F6B65
  722E6E65 74311A30 1806092A 864886F7 0D010901 160B696E 666F4068 652E6E65
  74301E17 0D303730 37313130 31333533 315A170D 31373037 30383031 33353331
  5A30819C 310B3009 06035504 06130255 53311330 11060355 0408130A 43616C69
  666F726E 69613110 300E0603 55040713 07467265 6D6F6E74 3120301E 06035504
  0A131748 75727269 63616E65 20456C65 63747269 632C204C 4C43310D 300B0603
  55040B13 04495056 36311930 17060355 04031310 74756E6E 656C6272 6F6B6572
  2E6E6574 311A3018 06092A86 4886F70D 01090116 0B696E66 6F406865 2E6E6574
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D7247C
  252A7E69 754A8501 9186608F 2C96E4BE 96E4B636 28A17A56 535C01A4 13C86B96
  44B75E3D C060B927 75D5A072 84D754C9 48F4B2B4 B4440C3D 904857F4 178D71EA
  1EF84E6F 88684F5E 30F956F2 48F45718 3A9489A9 096019CD 15988847 C380E750
  3033DFA9 5191A434 400960C5 C4F9387C 7AEB5AF3 3C633D2D 241208C6 6F020301
  0001300D 06092A86 4886F70D 01010405 00038181 00554596 289633CD 361C3A98
  968BDE20 939975C9 D786942E 6269C380 71C2F4F0 1A74E55C 63376492 60684350
  0F49FBA0 90711CEF 373FBF38 E232556C EB63C56A A1718BAF 760A49C6 0A7C320A
  7F879BF3 C55B1F98 9CEC8D2C 28E2DA83 986D366B 7BDEE7E6 264AACE9 3F84964E
  CBB6ECC5 135D9945 A0CB4BAB BA08B7DF 517DCBB7 1F
ip ddns update method tunnelbroker
  add https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=AUTO&pass=MD5PASS&user_id=USERID&tunnel_id=GTUNID
interval maximum 1 0 0 0
interval minimum 1 0 0 0
interface Tunnel0
ip ddns update tunnelbroker


That's workable I guess.  It'd be nicer if they simply gave you a way to automatically accept self-signed (or other problem) certs based on the URL or something like that without having the embed it statically into the config.



How did you add this certificate initially?  I kept getting an error that the router did not like the first line of the certificate that I was pulling down from the tunnelbroker website.



Since the certificate is self-signed, I accepted the security exception in Firefox & exported the certificate from the browser store to Base-64 encoded X.509 (.CER). Then I enrolled it from terminal (via copy-paste) on Cisco router.