IPv6 with Tunnel Broker Configuration Example

From DocWiki

Revision as of 07:13, 26 October 2011 by Anubisg11 (Talk | contribs)
Jump to: navigation, search

Common info

Tunnel brokers are something that you can put into the "tunnel destination" command on your config, and have the IPv6 working.

Do not try to split the /64 that they give originally - it most probably would not work! They give out the /48s for the purpose of putting the real devices on them.

The basic config using IOS is the same for both tunnelbrokers, here it is (taken from SixXS FAQ and modified to add the basic firewalling part):

ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface tunnel0
 description IPv6 uplink to SixXS / HE
 no ip address
 ipv6 enable
 ipv6 nd suppress-ra (<12.4)
 ipv6 nd ra suppress (>=12.4)
 ipv6 address [Your IPv6 Endpoint]/[Prefix Length]
 ipv6 mtu 1280 (or other MTU value, depending on what you configured the tunnel to)
 tunnel source [Your IPv4 Endpoint or 'dialer' interface]
 tunnel destination [PoP IPv4 Endpoint]
 tunnel mode ipv6ip
 ipv6 traffic-filter V6-FILTER in
 ipv6 inspect V6-INSPECT out
 ipv6 virtual-reassembly
!
ipv6 route 2000::/3 [PoP IPv6 Endpoint]
!
! Some folks filter some ICMPs here. 
ipv6 access-list V6-FILTER
 permit icmp any any
 deny ipv6 any any log
!

SixxS

SixxS

For SixXS, the IOS should work either with "static" or "heartbeat" type tunnels. They have a funny point scheme, whereby they take away your points for changing the tunnel type - so in the end you might not have enough. If you are 100% sure you have the fixed IPv4 address - then you can pick "static" when requesting. Else - take the "heartbeat" one - you can use it with either static or dynamic IPv4 endpoint. The config is as per above.

The tricky part is who is going to send the "heartbeat" described in the draft

Luckily they publish a sample shell script that does this, albeit it has a little bug ("-c" in the argument of netcat) that cost me 30 points in debugging mistakes before I figured it out :-)

Here's a bug free version:

 #! /bin/sh
 # written by Oliver Walter <owb@gmx.de>
 localv6="$1"
 password="$2"
 remotev4="$3"
 remotev6="$4"
 while [ 1 ]
 do
     hb="HEARTBEAT TUNNEL `echo -n $localv6|cut -d '/' -f 1` sender `date +%s`"
     echo -n "$hb `echo -n $hb $password|md5sum|cut -d ' ' -f 1`"|netcat -w 1 -u $remotev4 3740
     ping6 -s 8 -c 1 -q $remotev6 >/dev/null 2>&1 &
     sleep 60
 done

As they point at the Heartbeat page - your clock has to be NTP-synced, as they have pretty stringent requirements for it, and will drop the heartbeat packets otherwise.

(Still open question: where to find the heartbeat password - it is not the same as your login. I'll put something here if I hear from the SixXS folks). Or if you find it - edit it here in-place.

Once you start the heartbeat, your tunnel will automagically come up.

Hurricane Electric

TunnelBroker.net

Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:

 Please use the format "https ://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID"
 Where:
   USERNAME: Your tunnelbroker.net username.
   PASSWORD: Your tunnelbroker.net password.
   TUNNELID: The Global Tunnel ID from the tunnel_details page

NB: I have added the space after 'https' to prevent the auto-linkage of the nonsensical URL by the wiki. You obviously should not have the space. HTTP doesn't work

Basically, your IPv4 address is automatically detected. (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.

IOS also support dynamic dns features, so you can set up your cisco router to automatically update the ipv4 end of the tunnel.

Hurricane have a self signed ssl certificate, so to use https, we need to import the certificate in the ios config. You can verify it with the command (unix based) "openssl s_client -connect ipv4.tunnelbroker.net:443"

ip ddns update method Hurricane
HTTP
 add http s://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID
(please remove the space and replace username, password and tunnel id with proper values)
interval maximum 0 1 0 0 (this line is optional, i added to update  every hour)
!
crypto pki trustpoint HURRICANE
 enrollment terminal pem
 revocation-check none
!
!
crypto pki certificate chain HURRICANE
 certificate ca 00F17A2250E699D461
  308203F0 308202D8 A0030201 02020900 F17A2250 E699D461 300D0609 2A864886
  F70D0101 05050030 819C310B 30090603 55040613 02555331 13301106 03550408
  130A4361 6C69666F 726E6961 3110300E 06035504 07130746 72656D6F 6E743120
  301E0603 55040A13 17487572 72696361 6E652045 6C656374 7269632C 204C4C43
  310D300B 06035504 0B130449 50763631 19301706 03550403 13107475 6E6E656C
  62726F6B 65722E6E 6574311A 30180609 2A864886 F70D0109 01160B69 70763640
  68652E6E 6574301E 170D3131 30343232 31373432 32305A17 0D323130 34313931
  37343232 305A3081 9C310B30 09060355 04061302 55533113 30110603 55040813
  0A43616C 69666F72 6E696131 10300E06 03550407 13074672 656D6F6E 74312030
  1E060355 040A1317 48757272 6963616E 6520456C 65637472 69632C20 4C4C4331
  0D300B06 0355040B 13044950 76363119 30170603 55040313 1074756E 6E656C62
  726F6B65 722E6E65 74311A30 1806092A 864886F7 0D010901 160B6970 76364068
  652E6E65 74308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100DEE6 7CDAF334 3F0224FE C9273899 96262CC7 08ADC537 ABA644C0
  8639BC78 36721CC2 24608F40 8C2D0627 B1499EC2 58BF3F1A 374F5ACE 83A02BAD
  0D2E9594 619A4612 5DD29A54 381DEE64 B72A9DF6 34FDDE34 5A94459B 8F72015D
  DF9A1420 EF8E0129 4CF6F95D B7137B4F 9F8517AB 9D3B750D D198D899 A12FD3F8
  351BB755 115C5643 20999CE2 F8E761F1 90854CE1 6D665B0B B2797CC1 674C548B
  356368BB 876B5B07 00A66E05 8CF7D5AF EB5D6A78 C612CF1B 30649B5E 8E818ED4
  AD884CB5 C89DD01B 264BC2E5 1170C32F 0D5D3AFE 173636FF 4C64F51A 20FBD798
  D712B95B D8DCC262 0F50A209 65667E23 B787B6F9 1262160B E6693BD2 F7324EBF
  8FF32059 1EA30203 010001A3 33303130 2F060355 1D110428 30268210 74756E6E
  656C6272 6F6B6572 2E6E6574 82122A2E 74756E6E 656C6272 6F6B6572 2E6E6574
  300D0609 2A864886 F70D0101 05050003 82010100 5CC1B964 E7B2442C C810F60F
  B5929BAF 53740A48 811DFFBB 6D5A94A9 F89F12D7 BA4BF79D A5477323 307D5ADB
  78F380ED F3C7007A 0E011F6C FE2B1D82 944F4FC6 D4D23022 276489E2 BA82E168
  13F40624 5712EAD3 61DADE16 67A7FD2E 5C0A47DF 56BF9E24 693DDA54 1001D32B
  932CF690 3D4D0B00 9A129D70 F43625B4 36DF0B6B FC052222 10A56F0F BD955BA1
  36AFB02F 5BBDECDF E13759C5 9BB7AA55 AAB29F14 7E26287D 0147B9CB CE6E7376
  EA230AF2 1D1F71A3 7A5C8B77 B954551D CDF03CFA DBAB4ECE 78BF6F31 E96C7DD3
  74C94122 5DDFEDCE 35C1CA05 1B9CD265 FD66BE0C 8E9D294E 9CD9A5C4 C6E77E7A
  C8C88C9F 633D4BF1 45AA5991 9BC49607 11770EAC
  quit
!
interface FastEthernet0/0 (or any other interface has your WAN ip address, like a Dialer)
ip ddns update Hurricane

Rating: 5.0/5 (3 votes cast)

Personal tools