IPv6 with Tunnel Broker Configuration Example

From DocWiki

Jump to: navigation, search

Common info

Tunnel brokers are something that you can put into the "tunnel destination" command on your config, and have the IPv6 working.

Do not try to split the /64 that they give originally - it most probably would not work! They give out the /48s for the purpose of putting the real devices on them.

The basic config using IOS is the same for both tunnelbrokers, here it is (taken from SixXS FAQ and modified to add the basic firewalling part):

ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
interface tunnel0
 description IPv6 uplink to SixXS / HE
 no ip address
 ipv6 enable
 ipv6 nd suppress-ra (<12.4)
 ipv6 nd ra suppress (>=12.4)
 ipv6 address [Your IPv6 Endpoint]/[Prefix Length]
 ipv6 mtu 1280 (or other MTU value, depending on what you configured the tunnel to)
 tunnel source [Your IPv4 Endpoint or 'dialer' interface]
 tunnel destination [PoP IPv4 Endpoint]
 tunnel mode ipv6ip
 ipv6 traffic-filter V6-FILTER in
 ipv6 inspect V6-INSPECT out
 ipv6 virtual-reassembly
ipv6 route ::/0 Tunnel0
! Some folks filter some ICMPs here. 
ipv6 access-list V6-FILTER
 permit icmp any any
 deny ipv6 any any log



For SixXS, the IOS should work either with "static" or "heartbeat" type tunnels. They have a funny point scheme, whereby they take away your points for changing the tunnel type - so in the end you might not have enough. If you are 100% sure you have the fixed IPv4 address - then you can pick "static" when requesting. Else - take the "heartbeat" one - you can use it with either static or dynamic IPv4 endpoint. The config is as per above.

The tricky part is who is going to send the "heartbeat" described in the draft

Luckily they publish a sample shell script that does this, albeit it has a little bug ("-c" in the argument of netcat) that cost me 30 points in debugging mistakes before I figured it out :-)

Here's a bug free version:

 #! /bin/sh
 # written by Oliver Walter <owb@gmx.de>
 while [ 1 ]
     hb="HEARTBEAT TUNNEL `echo -n $localv6|cut -d '/' -f 1` sender `date +%s`"
     echo -n "$hb `echo -n $hb $password|md5sum|cut -d ' ' -f 1`"|netcat -w 1 -u $remotev4 3740
     ping6 -s 8 -c 1 -q $remotev6 >/dev/null 2>&1 &
     sleep 60

As they point at the Heartbeat page - your clock has to be NTP-synced, as they have pretty stringent requirements for it, and will drop the heartbeat packets otherwise.

(Still open question: where to find the heartbeat password - it is not the same as your login. I'll put something here if I hear from the SixXS folks). Or if you find it - edit it here in-place.

Once you start the heartbeat, your tunnel will automagically come up.

Hurricane Electric


Same setup as on the SixXS for the IOS 'forwarding' part. Their way to update your endpoint is different:

 Please use the format "https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID"
   USERNAME: Your tunnelbroker.net username.
   PASSWORD: Your tunnelbroker.net password.
   TUNNELID: The Global Tunnel ID from the tunnel_details page

Note: HTTP doesn't work. You MUST use HTTPS which poses some certificate issues.

Basically, your IPv4 address is automatically detected. (and you are requesting from behind your router - so your source IPv4 address will be the same as the one assigned to you) - then to update the address, you just need to retrieve a statically computed URL, specific to your tunnel. Obviously do this only when the address changes.

IOS also support dynamic dns features, so you can set up your cisco router to automatically update the ipv4 end of the tunnel.

ip ddns update method Hurricane
 add https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID
(please remove the space and replace username, password and tunnel id with proper values)
interval maximum 0 1 0 0 (this line is optional, i added to update  every hour)

Note: When entering the add https:...line you need to copy the first part to the beginning of the ?. Then, hit CNTRL+V, and copy/paste in the section from the ? to the end of the line

Hurricane Electric (Tunnel Broker) replaced their self-signed SSL certificates at the beginning of November 2011 and again 11 April 2014. The replacement of the self-signed certificate with a proper CA likely broke many Cisco IOS user update scripts due to the way IOS handles certificates.

You can verify the installed SSL certificates on the ipv4.tunnelbroker.com site with the following command: (unix based) "openssl s_client -showcerts -host ipv4.tunnelbroker.net -port 443" You can copy and paste the code below into your running config.

crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
crypto pki certificate chain tunnelbroker
certificate ca 00
 3082040F 308202F7 A0030201 02020100 300D0609 2A864886 F70D0101 05050030 
 68310B30 09060355 04061302 55533125 30230603 55040A13 1C537461 72666965 
 6C642054 6563686E 6F6C6F67 6965732C 20496E63 2E313230 30060355 040B1329 
 53746172 6669656C 6420436C 61737320 32204365 72746966 69636174 696F6E20 
 41757468 6F726974 79301E17 0D303430 36323931 37333931 365A170D 33343036 
 32393137 33393136 5A306831 0B300906 03550406 13025553 31253023 06035504 
 0A131C53 74617266 69656C64 20546563 686E6F6C 6F676965 732C2049 6E632E31 
 32303006 0355040B 13295374 61726669 656C6420 436C6173 73203220 43657274 
 69666963 6174696F 6E204175 74686F72 69747930 82012030 0D06092A 864886F7 
 0D010101 05000382 010D0030 82010802 82010100 B732C8FE E971A604 85AD0C11 
 64DFCE4D EFC80318 873FA1AB FB3CA69F F0C3A1DA D4D86E2B 5390FB24 A43E84F0 
 9EE85FEC E52744F5 28A63F7B DEE02AF0 C8AF532F 9ECA0501 931E8F66 1C39A74D 
 FA5AB673 042566EB 777FE759 C64A9925 1454EB26 C7F37F19 D530708F AFB0462A 
 FFADEB29 EDD79FAA 0487A3D4 F989A534 5FDB4391 8236D966 3CB1B8B9 82FD9C3A 
 3E10C83B EF066566 7A9B1918 3DFF7151 3C302E5F BE3D7773 B25D066C C323569A 
 2B852692 1CA702B3 E43F0DAF 087982B8 363DEA9C D335B3BC 69CAF5CC 9DE8FD64 
 8D178033 6E5E4A5D 99C91E87 B49D1AC0 D56E1335 235EDF9B 5F3DEFD6 F776C2EA 
 3EBB780D 1C42676B 04D8F8D6 DA6F8BF2 44A001AB 020103A3 81C53081 C2301D06 
 03551D0E 04160414 BF5FB7D1 CEDD1F86 F45B55AC DCD710C2 0EA988E7 30819206 
 03551D23 04818A30 81878014 BF5FB7D1 CEDD1F86 F45B55AC DCD710C2 0EA988E7 
 A16CA46A 3068310B 30090603 55040613 02555331 25302306 0355040A 131C5374 
 61726669 656C6420 54656368 6E6F6C6F 67696573 2C20496E 632E3132 30300603 
 55040B13 29537461 72666965 6C642043 6C617373 20322043 65727469 66696361 
 74696F6E 20417574 686F7269 74798201 00300C06 03551D13 04053003 0101FF30 
 0D06092A 864886F7 0D010105 05000382 01010005 9D3F889D D1C91A55 A1AC69F3 
 F359DA9B 01871A4F 57A9A179 092ADBF7 2FB21ECC C75E6AD8 8387A197 EF49353E 
 77064158 62BF8E58 B80A673F ECB3DD21 661FC954 FA72CC3D 4C40D881 AF779E83 
 7ABBA2C7 F534178E D91140F4 FC2C2A4D 157FA762 5D2E25D3 000B201A 1D68F917 
 B8F4BD8B ED2859DD 4D168B17 83C8B265 C72D7AA5 AABC5386 6DDD57A4 CAF82041 
 0B68F0F4 FB74BE56 5D7A79F5 F91D85E3 2D95BEF5 719043CC 8D1F9A00 0A8729E9 
 55225800 23EAE312 43295B47 08DD8C41 6A6506A8 E521AA41 B4952195 B97DD134 
 AB13D6AD BCDCE23D 39CDBD3E 7570A118 5903C922 B48F9CD5 5E2AD7A5 B6D40A6D 
 F8B74011 469A1F79 0E62BF0F 97ECE02F 1F1794
interface FastEthernet0/0 (or any other interface has your WAN ip address, like a Dialer)
ip ddns update Hurricane

There is a thread on TunnelBroker's website with more information about dynamic DNS. http://www.tunnelbroker.net/forums/index.php?topic=659.0

Rating: 5.0/5 (4 votes cast)

Personal tools