Cloudflare Docs
Magic Transit
Edit this page
Give us feedback
Set theme to dark (⇧+D)

GRE and IPsec tunnels

​​ Tunnels and encapsulation

Magic Transit uses Generic Routing Encapsulation (GRE) and IPsec tunnels to transmit packets from Cloudflare’s global network to your origin network. Cloudflare sets up tunnel endpoints on global network servers inside your network namespace, and you set up tunnel endpoints on routers at your data center.

To accommodate additional header data introduced by encapsulation, the maximum segment size (MSS) must be adjusted so that packets comply with the standard Internet routable maximum transmission unit (MTU), which is 1500 bytes.

For instructions, refer to Set Maximum Segment Size.

This diagram illustrates the flow of traffic with Magic Transit.


​​ ​​Anycast

Magic Transit uses Anycast IP addresses for Cloudflare’s tunnel endpoints. In the Anycast model, any server in any data center can receive traffic and must be capable of encapsulating and decapsulating packets for any tunnel.

This works with GRE tunnels because the GRE protocol is stateless. Each packet is processed independently and does not require any negotiation or coordination between tunnel endpoints. Tunnel endpoints are technically bound to IP addresses but do not need to be bound to specific devices. Any device that can strip off the outer headers and then route the inner packet can handle any GRE packet sent over the tunnel.

For IPsec tunnels, the customer’s router negotiates the creation of an IPsec tunnel with Cloudflare using the Internet Key Exchange (IKE) protocol. Next, the Cloudflare server that handled that negotiation will propagate the details of that newly created IPsec tunnel (traffic selectors, keys, etc.) across Cloudflare’s data centers. The result is that any Cloudflare server can then handle traffic for that IPsec tunnel, even though only one Cloudflare server actually negotiated the setup of that tunnel.

Cloudflare’s Anycast architecture provides a conduit to your tunnel for every server in every data center on Cloudflare’s global network as shown in the image below.

​​ IPsec tunnels

IPsec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.

For information on how to set up an IPsec tunnel, refer to Configure tunnel endpoints. To learn more about the configuration parameters Magic Transit uses to create an IPsec tunnel, keep reading.

​​ How IKEv2 is used to establish an IPsec tunnel

Magic Transit uses the following stages to establish an IPsec tunnel:

  • Initial Exchange (IKE_SA_INIT): IKE peers negotiate parameters for the IKE Security Association (SA) and establish a shared secret used for key derivation. After this exchange, the peers have a secure communication channel but they have not yet authenticated each other. If supported, the peers will also perform NAT detection in this exchange.
  • Auth Exchange (IKE_AUTH): Using the secure tunnel established in the initial exchange, IKE peers mutually authenticate each other. After authentication, the IKE security association (SA) is established. Next, the peers negotiate and establish an IPsec tunnel, known as a Child SA.

In summary, an IKE SA is created that uses certain cryptographic transforms. That IKE SA is then used to create a Child SA which itself uses certain cryptographic transforms. The configuration section below details which of these transforms for IKE SAs and Child SAs are currently supported by Magic Transit.

​​ Supported configuration parameters

Below is a list of the configuration parameters supported by Magic WAN. Choose which ones to use based on what your appliance supports.

​​ IKE SA

IKE SA is sometimes referred to as Phase 1 as per IKEv1 language.

  • Encryption

    • AES-GCM-16 with 128-bit or 256-bit key length
    • AES-CBC with 256-bit key length
  • Integrity (sometimes referred to as Authentication)

    • SHA2-256
  • Diffie-Hellman group:
    Below is a list of all Diffie-Hellman (DH) groups supported by Cloudflare. However, Cloudflare recommends that you use only one DH group when configuring your device, specifically DH group 14.

    • DH group 20 (384-bit random ECP group)
    • DH group 14 (2048-bit MODP group)
    • DH group 5 (1536-bit MODP group)
  • Pseudorandom function (PRF) (not to be confused with PFS. PRF is often not a configurable setting.)

    • SHA2-256
    • SHA2-384
    • SHA2-512

​​ IPsec

The Child SA. Sometimes referred to as Phase 2 as per IKEv1 language.

  • Encryption:

    • AES-GCM-16 with 128-bit or 256-bit key length
    • AES-CBC with 128-bit or 256-bit key length
  • Integrity (sometimes referred to as Authentication.)

    • SHA2-256
    • SHA-1
  • PFS group (sometimes referred to as Phase 2 Diffie-Hellman Group. Not to be confused with PRF.)
    Below is a list of all Diffie-Hellman (DH) groups supported by Cloudflare. However, Cloudflare recommends that you use only one DH group when configuring your device, specifically DH group 14.

    • DH group 20 (384-bit random ECP group)
    • DH group 14 (2048-bit MODP group)
    • DH group 5 (1536-bit MODP group)

​​ Required configuration parameters

  • The IKE version must be IKEv2.
  • The IKE authentication method must be Pre-Shared Key (PSK).
  • If your router is behind NAT and requires NAT traversal (NAT-T), then your router must initiate IKE communication on port 4500. Most devices support configuring NAT-T to begin on port 4500 (exceptions include at least some versions of the Cisco ASA). NAT-T is not supported for IKE sessions which begin on port 500 and then switch to port 4500.
  • (Uncommon) Extended Sequence Numbers (ESN) must be disabled.
  • If your tunnels need replay protection, enable Dead Peer Detection (DPD) in your router and select the option that restarts your IKE session when a DPD timeout occurs. This “restart” option ensures that the connection can recover in the event that a Cloudflare server goes offline. If your router does not expose this setting, check the router documentation for its dead peer detection behavior.

​​ Optional configuration parameters

  • Disable anti-replay protection.
  • Null encryption for IPsec: This option should not be used unless necessary as it reduces security because IPsec traffic is not encrypted. You must explicitly opt in to use this option.

​​ Supported IKE ID formats

Magic Transit supports the following IKE ID types for IPsec:

RFC nameFormatExample
ID_RFC822_ADDRipsec@<TUNNEL_ID>.<ACCOUNT_ID>.ipsec.cloudflare.comipsec@f5407d8db1a542b196c59f6d04ba8bd1.123456789.ipsec.cloudflare.com
ID_FQDN<TUNNEL_ID>.<ACCOUNT_ID>.ipsec.cloudflare.comf5407d8db1a542b196c59f6d04ba8bd1.123456789.ipsec.cloudflare.com
ID_KEY_ID<ACCOUNT_ID>_<TUNNEL_ID>123456789_f5407d8db1a542b196c59f6d04ba8bd1

Additionally, the IKE ID type of ID_IPV4_ADDR is supported if the following two conditions are met:

  1. The IPsec tunnel’s customer_endpoint value is set.
  2. The combination of cloudflare_endpoint and customer_endpoint is unique among the customer’s IPsec tunnels.

​​ Network Analytics

Cloudflare’s Network Analytics provides near real-time visibility into network and transport layer traffic patterns and DDoS attacks which can help troubleshoot IP traffic issues. You can also use Network Analytics to view information about the traffic that leaves Cloudflare’s global network by reviewing ingress and egress tunnel traffic over a specific amount of time.

For more information, refer to Analytics.