EN - Hurricane Electric IPv6 Tunnel with Cisco 887

As mentioned earlier I was playing with the Hurricane Electric IPv6 Tunnel setup. Now that the Tunnel is up and running I would like to share some knowledge I gained and provide a few config sniplets.

Starting with the registration at www.tunnelbroker.net you can request an IPv6 Tunnel. As soon as you´ve registered you can set up your tunnel and register for a complete network with a/48 mask. Obviously to say – I did register for the network.

You can divide configuring your router into 4 steps (more or less)

• Tunnel creation
• Configure HE Tunnel update
• Add the HE Certificate
• Configure and use your /48 network
• testing

The default configuration of HE expects you to have a static IPv4 configured at your router. Well since I’m using a home DSL connection my IP address changes every 24 hours. That´s why I change the tunnel source from IP to dialer 1. 

interface Tunnel0

 description Hurricane Electric IPv6 Tunnel Broker

 no ip address

 ipv6 enable

 ipv6 address 2001:470:xxxx:xxxx::2/64

 tunnel source Dialer 1

 tunnel destination 216.66.84.42

 tunnel mode ipv6ip

ipv6 route ::/0 Tunnel0

Additional to the configuration I added this interface into the appropriate zone of the Zone-Based firewall.

The next step for locations with changing IP addresses is to convince your router to tell HE the changing IPv4 address. Hurricane offers a default URL that you can use for the updating process.

https://ACCOUNTNAME:ACCOUNTPASSWORT@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID

To update your IP at HE, you can use the DDNS feature of the Cisco router.

ip ddns update method HEv6

 HTTP

  add https://ACCOUNTNAME:ACCOUNTPASSWORT@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID   !update in next blog post

 interval maximum 0 6 0 0

 interval minimum 0 1 0 0

Every hour but your router will update the IP at HE.

You have to update the configuration of your dialer interface (or the interface that is providing your internet connection) to update HE.

Interface Dialer 1

 ip ddns update hostname WS-Router

 ip ddns update HEv6

Next step is to import the certificate HE is using for the tunnel broker website. Since this page is using a self-signed certificate the update with ddns could cause problems if you don´t import it.

crypto pki trustpoint HEv6

 enrollment terminal pem

 revocation-check none

You need to authenticate the trustpoint using the following dialog:

#crypto pki authenticate HEv6

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

MIID8DCCAtigAwIBAgIJAPF6IlDmmdRhMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD

VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHRnJlbW9udDEg

MB4GA1UEChMXSHVycmljYW5lIEVsZWN0cmljLCBMTEMxDTALBgNVBAsTBElQdjYx

GTAXBgNVBAMTEHR1bm5lbGJyb2tlci5uZXQxGjAYBgkqhkiG9w0BCQEWC2lwdjZA

aGUubmV0MB4XDTExMDQyMjE3NDIyMFoXDTIxMDQxOTE3NDIyMFowgZwxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdGcmVtb250MSAw

HgYDVQQKExdIdXJyaWNhbmUgRWxlY3RyaWMsIExMQzENMAsGA1UECxMESVB2NjEZ

MBcGA1UEAxMQdHVubmVsYnJva2VyLm5ldDEaMBgGCSqGSIb3DQEJARYLaXB2NkBo

ZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe5nza8zQ/AiT+

ySc4mZYmLMcIrcU3q6ZEwIY5vHg2chzCJGCPQIwtBiexSZ7CWL8/GjdPWs6DoCut

DS6VlGGaRhJd0ppUOB3uZLcqnfY0/d40WpRFm49yAV3fmhQg744BKUz2+V23E3tP

n4UXq507dQ3RmNiZoS/T+DUbt1URXFZDIJmc4vjnYfGQhUzhbWZbC7J5fMFnTFSL

NWNou4drWwcApm4FjPfVr+tdanjGEs8bMGSbXo6BjtStiEy1yJ3QGyZLwuURcMMv

DV06/hc2Nv9MZPUaIPvXmNcSuVvY3MJiD1CiCWVmfiO3h7b5EmIWC+ZpO9L3Mk6/

j/MgWR6jAgMBAAGjMzAxMC8GA1UdEQQoMCaCEHR1bm5lbGJyb2tlci5uZXSCEiou

dHVubmVsYnJva2VyLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAXMG5ZOeyRCzIEPYP

tZKbr1N0CkiBHf+7bVqUqfifEte6S/edpUdzIzB9Wtt484Dt88cAeg4BH2z+Kx2C

lE9PxtTSMCInZIniuoLhaBP0BiRXEurTYdreFmen/S5cCkffVr+eJGk92lQQAdMr

kyz2kD1NCwCaEp1w9DYltDbfC2v8BSIiEKVvD72VW6E2r7AvW73s3+E3WcWbt6pV

qrKfFH4mKH0BR7nLzm5zduojCvIdH3GjelyLd7lUVR3N8Dz626tOzni/bzHpbH3T

dMlBIl3f7c41wcoFG5zSZf1mvgyOnSlOnNmlxMbnfnrIyIyfYz1L8UWqWZGbxJYH

EXcOrA==

Certificate has the following attributes:

       Fingerprint MD5: 1128B641 08E7E271 B2FFB7FF 91411952

      Fingerprint SHA1: 9EB44F27 6BCE5EF6 5D9D38CC A9252276 4318075C

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

I exported the applied certificate from my browser after opening the tunnelbroker page with Firefox.

The /48 network HE assigned to me was subnetted and applied to my loop 2 interface to check if everything works fine.

Interface loopback 2

ipv6 address 2001:470:XXXX::1/58

 ipv6 enable

Last but not least you should activate domain lookups on your router to resolve the tunnelbroker URL for ddns.

Final testing:

ping ipv6 ipv6.google.com source loop 2

Sending 5, 100-byte ICMP Echos to 2A00:1450:8004::6A, timeout is 2 seconds:

Packet sent with a source address of 2001:470:XXX::1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/76/76 ms

YEAH! Everything worked as expected great ! 
More to come here!