IPv6 with Tunnel Broker Configuration Example
Tunnel brokers are something that you can put into the "tunnel destination" command on your config, and have the IPv6 working.
Do not try to split the /64 that they give originally - it most probably would not work! They give out the /48s for the purpose of putting the real devices on them.
The basic config using IOS is the same for both tunnelbrokers, here it is (taken from SixXS FAQ and modified to add the basic firewalling part):
ipv6 unicast-routing ipv6 cef ipv6 inspect name V6-INSPECT tcp ipv6 inspect name V6-INSPECT udp ipv6 inspect name V6-INSPECT ftp ipv6 inspect name V6-INSPECT icmp ! interface tunnel0 description IPv6 uplink to SixXS / HE no ip address ipv6 enable ipv6 nd suppress-ra (<12.4) ipv6 nd ra suppress (>=12.4) ipv6 address [Your IPv6 Endpoint]/[Prefix Length] ipv6 mtu 1280 (or other MTU value, depending on what you configured the tunnel to) tunnel source [Your IPv4 Endpoint or 'dialer' interface] tunnel destination [PoP IPv4 Endpoint] tunnel mode ipv6ip ipv6 traffic-filter V6-FILTER in ipv6 inspect V6-INSPECT out ipv6 virtual-reassembly ! ipv6 route ::/0 Tunnel0 ! ! Some folks filter some ICMPs here. ipv6 access-list V6-FILTER permit icmp any any deny ipv6 any any log !
For SixXS, the IOS should work either with "static" or "heartbeat" type tunnels. They have a funny point scheme, whereby they take away your points for changing the tunnel type - so in the end you might not have enough. If you are 100% sure you have the fixed IPv4 address - then you can pick "static" when requesting. Else - take the "heartbeat" one - you can use it with either static or dynamic IPv4 endpoint. The config is as per above.
The tricky part is who is going to send the "heartbeat" described in the draft
Luckily they publish a sample shell script that does this, albeit it has a little bug ("-c" in the argument of netcat) that cost me 30 points in debugging mistakes before I figured it out :-)
Here's a bug free version:
#! /bin/sh # written by Oliver Walter <firstname.lastname@example.org> localv6="$1" password="$2" remotev4="$3" remotev6="$4" while [ 1 ] do hb="HEARTBEAT TUNNEL `echo -n $localv6|cut -d '/' -f 1` sender `date +%s`" echo -n "$hb `echo -n $hb $password|md5sum|cut -d ' ' -f 1`"|netcat -w 1 -u $remotev4 3740 ping6 -s 8 -c 1 -q $remotev6 >/dev/null 2>&1 & sleep 60 done
As they point at the Heartbeat page - your clock has to be NTP-synced, as they have pretty stringent requirements for it, and will drop the heartbeat packets otherwise.
(Still open question: where to find the heartbeat password - it is not the same as your login. I'll put something here if I hear from the SixXS folks). Or if you find it - edit it here in-place.
Once you start the heartbeat, your tunnel will automagically come up.
Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:
Please use the format "https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID" Where: USERNAME: Your tunnelbroker.net username. PASSWORD: Your tunnelbroker.net password. TUNNELID: The Global Tunnel ID from the tunnel_details page
Note: HTTP doesn't work. You MUST use HTTPS which poses some certificate issues.
Basically, your IPv4 address is automatically detected. (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.
IOS also support dynamic dns features, so you can set up your cisco router to automatically update the ipv4 end of the tunnel.
ip ddns update method Hurricane HTTP add https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID (please remove the space and replace username, password and tunnel id with proper values) interval maximum 0 1 0 0 (this line is optional, i added to update every hour) !
Note: When entering the add https:...line you need to copy the first part to the beginning of the ?. Then, hit CNTRL+V, and copy/paste in the section from the ? to the end of the line
Hurricane Electric (Tunnel Broker) replaced their self-signed SSL certificates at the beginning of November 2011. The replacement of the self-signed certificate with a proper CA likely broke many Cisco IOS user update scripts due to the way IOS handles certificates.
You can verify the installed SSL certificates on the ipv4.tunnelbroker.com site with the following command: (unix based) "openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443" You can copy and paste the code below into your running config.
crypto pki trustpoint tunnelbroker enrollment terminal pem revocation-check none ! ! crypto pki certificate chain tunnelbroker certificate ca 01 308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430 22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477 6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033 06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056 616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874 74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886 F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036 32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206 03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72 6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603 55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C 69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470 3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D 01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8 740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25 4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185 543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412 BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886 F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281 F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE 218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21 8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8 BEED744C BC5BD562 1F43DD quit ! interface FastEthernet0/0 (or any other interface has your WAN ip address, like a Dialer) ip ddns update Hurricane
There is a thread on TunnelBroker's website with more information about dynamic DNS. http://www.tunnelbroker.net/forums/index.php?topic=659.0