Configure tunnel endpoints
Cloudflare recommends two tunnels for each ISP and network location router combination, one per Cloudflare endpoint. Cloudflare will assign two Cloudflare endpoint addresses shortly after your onboarding kickoff call that you can use as the tunnel destinations on your network location’s routers/endpoints.
To configure the tunnels between Cloudflare and your locations, you must provide the following data for each tunnel:
- Tunnel name: A name with 15 or fewer characters that does not contain spaces or special characters. The name cannot be shared with other tunnels.
- Cloudflare endpoint address: The public IP address of the Cloudflare side of the tunnel.
- Customer endpoint: A public Internet routable IP address outside of the prefixes Cloudflare will advertise on your behalf. These are generally IP addresses provided by your ISP. If you intend to use a physical or virtual connection like Cloudflare Network Interconnect, you do not need to provide endpoints because Cloudflare will provide them.
This value is not required for IPsec tunnels, unless your router is using an IKE ID of typeID_IPV4_ADDR
. - Interface address: A 31-bit (recommended) or 30-bit subnet (
/31
or/30
in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space:10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.244.0/20
- TTL: Time to Live (TTL) in number of hops for the GRE tunnel. The default value is 64.
- MTU: Maximum Transmission Unit (MTU) in bytes for the GRE tunnel. The default value is 1476.
Tunnels
GRE tunnels
You can set up GRE tunnels through the Cloudflare dashboard or via the API. However, if you want to use the API, be sure to have your account ID and API key ready before you begin.
IPsec tunnels
You can use IPsec as an on-ramp to connect with your entire virtual network. With an IPsec tunnel, you can route traffic from your network to Cloudflare’s global network and define static routes to direct traffic down the correct tunnel.
You can set up IPsec tunnels through the Cloudflare dashboard or via the API. However, if you want to use the API, be sure to have your account ID and API key ready before you begin.
Anti-replay protection
If you use Magic Transit and Anycast IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare’s side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
Refer to Anti-replay protection for more information on this topic, or Add IPsec tunnels below to learn how to enable this feature.
Technical requirements for GRE and IPsec tunnels
Refer to Tunnels and encapsulation to learn about the technical requirements for GRE and IPsec tunnels used in Magic Transit.
Add tunnels
- Log in to the Cloudflare dashboard, and select your account.
- Select Magic Transit > Configuration.
- From the Tunnels tab, select Create.
- On the Add tunnels page, choose either a GRE tunnel or IPsec tunnel.
GRE tunnel
- In Tunnel name, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over
i
in the dashboard for more information. - Give your tunnel a description in Description. You do not have character restrictions here.
- In Interface address, enter the internal IP address for your tunnel along with the interface’s prefix length (either
/31
or/30
). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a/31
netmask, as it provides the most efficient use of IP address space. - In Customer GRE endpoint, enter your router’s public IP address.
- In Cloudflare GRE endpoint, enter the Anycast address you received from your account team (typically begins with
172.x.x.x
). - Leave the default values for TTL and MTU.
- Choose the Health check rate for your tunnel. Available options are Low, Medium and High.
- The Health check type defaults to Reply and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to Request which will create an ICMP request. Refer to Probe construction for more information.
- Health check target is the customer end of the tunnel. If health checks are not working, change this to Custom and enter an IP address from within the prefix range
172.64.240.252/30
. Refer to Configure tunnel health checks for more information. - (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels.
- To add multiple tunnels, select Add GRE tunnel for each new tunnel.
- After adding your tunnel information, select Add tunnels to save your changes.
IPsec tunnel
- In Tunnel name, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over
i
in the dashboard for more information. - Give your tunnel a description in Description. You do not have character restrictions here.
- In Interface address, enter the internal IP address for your tunnel along with the interface’s prefix length (either
/31
or/30
). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a/31
netmask, as it provides the most efficient use of IP address space. - In Customer endpoint, enter your router’s public IP address. This value is only required if your router is using an IKE ID of type
ID_IPV4_ADDR
. - In Cloudflare endpoint, enter the Anycast address you received from your account team (typically begins with
172.x.x.x
). - Choose the Health check rate for your tunnel. Available options are Low, Medium and High.
- The Health check type defaults to Reply and to creating an ICMP reply. If your firewall drops this type of packet for assuming it is a type of attack, change this option to Request which will create an ICMP request. Refer to Probe construction for more information.
- Health check target is the customer end of the tunnel. If health checks are not working, change this to Custom and enter an IP address from within the prefix range
172.64.240.252/30
. Refer to Configure tunnel health checks for more information.
If you do not have a pre-shared key yet:
- Select Add pre-shared key later.
- (Optional) We recommend you test your tunnel configuration before officially adding it. To test the tunnel, select Test tunnels.
- Select Add tunnels.
- The Cloudflare dashboard will load the list of tunnels you have configured. The IPsec tunnel you have just created will be listed with a warning in the form of a triangle to let you know it is not yet functional. Select Edit.
- Choose Generate a new pre-shared key > Update and generate a pre-shared key. Save the key to a safe place, and select Done.
If you already have a pre-shared key:
- Select Use my own pre-shared key.
- Paste your key in Your pre-shared key.
- (Optional) We recommend you test your tunnel before officially adding it. To test the tunnel, select Test tunnels.
- Select Add tunnels.
(Optional) Enable Replay protection if you have devices that do not support disabling it. Refer to Anti-replay protection for more information.
GRE tunnel
Create a POST
request using the API to create a GRE tunnel. You will need your API Key.
Example:
curl --request https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/gre_tunnels \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--data '{"gre_tunnels": [{"name": "<TUNNEL_NAME>","description": "<TUNNEL_DESCRIPTION>","interface_address": "<INTERFACE_ADDRESS>","cloudflare_gre_endpoint": "<CLOUDFLARE_ENDPOINT>","customer_gre_endpoint": "<CUSTOMER_ENDPOINT>"}]}'
IPsec tunnel
- Create a
POST
request using the API to create an IPsec tunnel. You will need your API Key.
Note that in example below, replay protection is disabled by default. You can enable it with the flag "replay_protection": true
for each IPsec tunnel, if the devices you use do not support disabling this feature. If you have already created IPsec tunnels, update them with a PUT
request.
Refer to Refer to Anti-replay protection for more information on this topic.
Example:
curl --request https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/ipsec_tunnels \--header 'Content-Type: application/json' \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--data '{"ipsec_tunnels": [{"name": "<TUNNEL_NAME>","description": "<TUNNEL_DESCRIPTION>","interface_address": "<INTERFACE_ADDRESS>","cloudflare_endpoint": "<CLOUDFLARE_ENDPOINT>","customer_endpoint": "<CUSTOMER_ENDPOINT>","replay_protection": false}]}'
This will generate a response like the following:
{"result": {"ipsec_tunnels": [{"id": "<YOUR_TUNNEL_ID>","interface_address": "<INTERFACE_ADDRESS>","created_on": "2023-04-21T10:42:22.138586Z","modified_on": "2023-04-21T10:42:22.138586Z","name": "<TUNNEL_NAME>","cloudflare_endpoint": "<CLOUDFLARE_ENDPOINT>","customer_endpoint": "<CUSTOMER_ENDPOINT>","remote_identities": {"hex_id": "<HEX_ID>","fqdn_id": "<FQDN_ID>.ipsec.cloudflare.com","user_id": "ipsec@<USER_ID>.ipsec.cloudflare.com"},"description": " test","health_check": {"enabled": true,"target": "<TARGET>","type": "reply","rate": "mid"}}]},"success": true,"errors": [],"messages": []}
- Create a
POST
request to generate a PSK. Use the tunnelid
you received from the previous command (exemplified by<YOUR_TUNNEL_ID>
above):
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/ipsec_tunnels/{your_tunnel_id}/psk_generate \--header 'X-Auth-Email: <EMAIL>'--header 'X-Auth-Key: <API_KEY>'
You will receive a response like the following:
{"result": {"ipsec_id": "<IPSEC_ID>","ipsec_tunnel_id": "<IPSEC_TUNNEL>","psk": "<YOUR_PSK_KEY>","psk_metadata": {"last_generated_on": "2023-04-21T10:48:15.953887008Z"}},"success": true,"errors": [],"messages": []}
- Use the above
psk
value to configure the IPsec tunnel on your equipment. You do not need to take further action to use the PSK on Cloudflare’s side, as this value is automatically set.
Next steps
Now that you have set up your tunnel endpoints, you need to configure static routes to route your traffic through Cloudflare.
Refer to Tunnels for more information on how Magic Transit tunnels work.