IPv6 with Tunnel Broker Configuration Example

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Added metadata template)
(Hurricane Electric: no longer using a self-signed certificate - was replaced with a CA so inserted new code, added additional info. also took spaces out of code and prevented wiki from formatting)
(2 intermediate revisions not shown)
Line 32: Line 32:
   ipv6 virtual-reassembly
   ipv6 virtual-reassembly
  !
  !
-
  ipv6 route 2000::/3 [PoP IPv6 Endpoint]
+
  ipv6 route ::/0 Tunnel0
  !
  !
  ! Some folks filter some ICMPs here.  
  ! Some folks filter some ICMPs here.  
Line 78: Line 78:
Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:
Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:
-
   Please use the format "https ://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID"
+
   Please use the format "<nowiki>https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID</nowiki>"
   Where:
   Where:
-
     $IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client's IP address)
+
     USERNAME: Your tunnelbroker.net username.
-
     $MD5PASS = The MD5 Hash of your password
+
     PASSWORD: Your tunnelbroker.net password.
-
     $USERID = The UserID from the main page of the tunnelbroker (not your username)
+
     TUNNELID: The Global Tunnel ID from the tunnel_details page
-
    $GTUNID = The Global Tunnel ID from the tunnel_details page
+
-
NB: I have added the space after 'https' to prevent the auto-linkage of the nonsensical URL by the wiki. You obviously should not have the space. Also, HTTP (not "HTTPS") seems to work for now too.
+
Note: HTTP doesn't work. You MUST use HTTPS which poses some certificate issues.
-
Basically, if you use "AUTO" in place of IPv4 address (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.
+
Basically, your IPv4 address is automatically detected. (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.
-
I suspect for this the dynamic DNS support in IOS should work pretty well - but did not test it since I have not enough memory on my home box to use the software that supports the dynamic DNS.
+
IOS also support dynamic dns features, so you can set up your cisco router to automatically update the ipv4 end of the tunnel.
 +
 
 +
ip ddns update method Hurricane
 +
HTTP
 +
  <nowiki>add https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID</nowiki>
 +
(please remove the space and replace username, password and tunnel id with proper values)
 +
interval maximum 0 1 0 0 (this line is optional, i added to update  every hour)
 +
!
 +
 
 +
'''Note: When entering the add https:...line you need to copy the first part to the beginning of the ?. Then, hit CNTRL+V, and copy/paste in the section from the ? to the end of the line'''
 +
 
 +
Hurricane Electric (Tunnel Broker) replaced their self-signed SSL certificates at the beginning of November 2011. The replacement of the self-signed certificate with a proper CA likely broke many Cisco IOS user update scripts due to the way IOS handles certificates.
 +
 
 +
You can verify the installed SSL certificates on the ipv4.tunnelbroker.com site with the following command: (unix based) "openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443"
 +
You can copy and paste the code below into your running config.
 +
 
 +
crypto pki trustpoint tunnelbroker
 +
enrollment terminal pem
 +
revocation-check none
 +
!
 +
!
 +
crypto pki certificate chain tunnelbroker
 +
  certificate ca 01
 +
  308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430
 +
  22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477
 +
  6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033
 +
  06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056
 +
  616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874
 +
  74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886
 +
  F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036
 +
  32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206
 +
  03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72
 +
  6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603
 +
  55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C
 +
  69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470
 +
  3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D
 +
  01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648
 +
  86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8
 +
  740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25
 +
  4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185
 +
  543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412
 +
  BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886
 +
  F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281
 +
  F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE
 +
  218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21
 +
  8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8
 +
  BEED744C BC5BD562 1F43DD
 +
        quit
 +
!
 +
interface FastEthernet0/0 (or any other interface has your WAN ip address, like a Dialer)
 +
ip ddns update Hurricane
 +
 
 +
There is a thread on TunnelBroker's website with more information about dynamic DNS.
 +
http://www.tunnelbroker.net/forums/index.php?topic=659.0
[[Category:IPv6 Configuration Examples]]
[[Category:IPv6 Configuration Examples]]

Revision as of 23:47, 13 December 2011

Common info

Tunnel brokers are something that you can put into the "tunnel destination" command on your config, and have the IPv6 working.

Do not try to split the /64 that they give originally - it most probably would not work! They give out the /48s for the purpose of putting the real devices on them.

The basic config using IOS is the same for both tunnelbrokers, here it is (taken from SixXS FAQ and modified to add the basic firewalling part):

ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface tunnel0
 description IPv6 uplink to SixXS / HE
 no ip address
 ipv6 enable
 ipv6 nd suppress-ra (<12.4)
 ipv6 nd ra suppress (>=12.4)
 ipv6 address [Your IPv6 Endpoint]/[Prefix Length]
 ipv6 mtu 1280 (or other MTU value, depending on what you configured the tunnel to)
 tunnel source [Your IPv4 Endpoint or 'dialer' interface]
 tunnel destination [PoP IPv4 Endpoint]
 tunnel mode ipv6ip
 ipv6 traffic-filter V6-FILTER in
 ipv6 inspect V6-INSPECT out
 ipv6 virtual-reassembly
!
ipv6 route ::/0 Tunnel0
!
! Some folks filter some ICMPs here. 
ipv6 access-list V6-FILTER
 permit icmp any any
 deny ipv6 any any log
!

SixxS

SixxS

For SixXS, the IOS should work either with "static" or "heartbeat" type tunnels. They have a funny point scheme, whereby they take away your points for changing the tunnel type - so in the end you might not have enough. If you are 100% sure you have the fixed IPv4 address - then you can pick "static" when requesting. Else - take the "heartbeat" one - you can use it with either static or dynamic IPv4 endpoint. The config is as per above.

The tricky part is who is going to send the "heartbeat" described in the draft

Luckily they publish a sample shell script that does this, albeit it has a little bug ("-c" in the argument of netcat) that cost me 30 points in debugging mistakes before I figured it out :-)

Here's a bug free version:

 #! /bin/sh
 # written by Oliver Walter <owb@gmx.de>
 localv6="$1"
 password="$2"
 remotev4="$3"
 remotev6="$4"
 while [ 1 ]
 do
     hb="HEARTBEAT TUNNEL `echo -n $localv6|cut -d '/' -f 1` sender `date +%s`"
     echo -n "$hb `echo -n $hb $password|md5sum|cut -d ' ' -f 1`"|netcat -w 1 -u $remotev4 3740
     ping6 -s 8 -c 1 -q $remotev6 >/dev/null 2>&1 &
     sleep 60
 done

As they point at the Heartbeat page - your clock has to be NTP-synced, as they have pretty stringent requirements for it, and will drop the heartbeat packets otherwise.

(Still open question: where to find the heartbeat password - it is not the same as your login. I'll put something here if I hear from the SixXS folks). Or if you find it - edit it here in-place.

Once you start the heartbeat, your tunnel will automagically come up.

Hurricane Electric

TunnelBroker.net

Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:

 Please use the format "https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID"
 Where:
   USERNAME: Your tunnelbroker.net username.
   PASSWORD: Your tunnelbroker.net password.
   TUNNELID: The Global Tunnel ID from the tunnel_details page

Note: HTTP doesn't work. You MUST use HTTPS which poses some certificate issues.

Basically, your IPv4 address is automatically detected. (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.

IOS also support dynamic dns features, so you can set up your cisco router to automatically update the ipv4 end of the tunnel.

ip ddns update method Hurricane
HTTP
 add https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID
(please remove the space and replace username, password and tunnel id with proper values)
interval maximum 0 1 0 0 (this line is optional, i added to update  every hour)
!

Note: When entering the add https:...line you need to copy the first part to the beginning of the ?. Then, hit CNTRL+V, and copy/paste in the section from the ? to the end of the line

Hurricane Electric (Tunnel Broker) replaced their self-signed SSL certificates at the beginning of November 2011. The replacement of the self-signed certificate with a proper CA likely broke many Cisco IOS user update scripts due to the way IOS handles certificates.

You can verify the installed SSL certificates on the ipv4.tunnelbroker.com site with the following command: (unix based) "openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443" You can copy and paste the code below into your running config.

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
 certificate ca 01
  308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430
  22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477
  6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033
  06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056
  616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874
  74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886
  F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036
  32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206
  03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72
  6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603
  55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C
  69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470
  3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D
  01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648
  86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8
  740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25
  4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185
  543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412
  BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886
  F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281
  F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE
  218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21
  8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8
  BEED744C BC5BD562 1F43DD
        quit
!
interface FastEthernet0/0 (or any other interface has your WAN ip address, like a Dialer)
ip ddns update Hurricane

There is a thread on TunnelBroker's website with more information about dynamic DNS. http://www.tunnelbroker.net/forums/index.php?topic=659.0

Rating: 5.0/5 (4 votes cast)

Personal tools