# IPSEC Tunnels ## List IPsec tunnels `client.MagicTransit.IPSECTunnels.List(ctx, params) (*IPSECTunnelListResponse, error)` **get** `/accounts/{account_id}/magic/ipsec_tunnels` Lists IPsec tunnels associated with an account. ### Parameters - `params IPSECTunnelListParams` - `AccountID param.Field[string]` Path param: Identifier - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the response body will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelListResponse struct{…}` - `IPSECTunnels []IPSECTunnelListResponseIPSECTunnel` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelListResponseIPSECTunnelsBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelListResponseIPSECTunnelsBGPStatus` - `State IPSECTunnelListResponseIPSECTunnelsBGPStatusState` - `const IPSECTunnelListResponseIPSECTunnelsBGPStatusStateBGPDown IPSECTunnelListResponseIPSECTunnelsBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelListResponseIPSECTunnelsBGPStatusStateBGPUp IPSECTunnelListResponseIPSECTunnelsBGPStatusState = "BGP_UP"` - `const IPSECTunnelListResponseIPSECTunnelsBGPStatusStateBGPEstablishing IPSECTunnelListResponseIPSECTunnelsBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelListResponseIPSECTunnelsCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelListResponseIPSECTunnelsHealthCheck` - `Direction IPSECTunnelListResponseIPSECTunnelsHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelListResponseIPSECTunnelsHealthCheckDirectionUnidirectional IPSECTunnelListResponseIPSECTunnelsHealthCheckDirection = "unidirectional"` - `const IPSECTunnelListResponseIPSECTunnelsHealthCheckDirectionBidirectional IPSECTunnelListResponseIPSECTunnelsHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelListResponseIPSECTunnelsHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelListResponseIPSECTunnelsHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipsecTunnels, err := client.MagicTransit.IPSECTunnels.List(context.TODO(), magic_transit.IPSECTunnelListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipsecTunnels.IPSECTunnels) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "ipsec_tunnels": [ { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false } ] }, "success": true } ``` ## List IPsec tunnel details `client.MagicTransit.IPSECTunnels.Get(ctx, ipsecTunnelID, params) (*IPSECTunnelGetResponse, error)` **get** `/accounts/{account_id}/magic/ipsec_tunnels/{ipsec_tunnel_id}` Lists details for a specific IPsec tunnel. ### Parameters - `ipsecTunnelID string` Identifier - `params IPSECTunnelGetParams` - `AccountID param.Field[string]` Path param: Identifier - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the response body will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelGetResponse struct{…}` - `IPSECTunnel IPSECTunnelGetResponseIPSECTunnel` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelGetResponseIPSECTunnelBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelGetResponseIPSECTunnelBGPStatus` - `State IPSECTunnelGetResponseIPSECTunnelBGPStatusState` - `const IPSECTunnelGetResponseIPSECTunnelBGPStatusStateBGPDown IPSECTunnelGetResponseIPSECTunnelBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelGetResponseIPSECTunnelBGPStatusStateBGPUp IPSECTunnelGetResponseIPSECTunnelBGPStatusState = "BGP_UP"` - `const IPSECTunnelGetResponseIPSECTunnelBGPStatusStateBGPEstablishing IPSECTunnelGetResponseIPSECTunnelBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelGetResponseIPSECTunnelCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelGetResponseIPSECTunnelHealthCheck` - `Direction IPSECTunnelGetResponseIPSECTunnelHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelGetResponseIPSECTunnelHealthCheckDirectionUnidirectional IPSECTunnelGetResponseIPSECTunnelHealthCheckDirection = "unidirectional"` - `const IPSECTunnelGetResponseIPSECTunnelHealthCheckDirectionBidirectional IPSECTunnelGetResponseIPSECTunnelHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelGetResponseIPSECTunnelHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelGetResponseIPSECTunnelHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipsecTunnel, err := client.MagicTransit.IPSECTunnels.Get( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", magic_transit.IPSECTunnelGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipsecTunnel.IPSECTunnel) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "ipsec_tunnel": { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false } }, "success": true } ``` ## Create an IPsec tunnel `client.MagicTransit.IPSECTunnels.New(ctx, params) (*IPSECTunnelNewResponse, error)` **post** `/accounts/{account_id}/magic/ipsec_tunnels` Creates a new IPsec tunnel associated with an account. Use `?validate_only=true` as an optional query parameter to only run validation without persisting changes. ### Parameters - `params IPSECTunnelNewParams` - `AccountID param.Field[string]` Path param: Identifier - `CloudflareEndpoint param.Field[string]` Body param: The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress param.Field[string]` Body param: A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name param.Field[string]` Body param: The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AutomaticReturnRouting param.Field[bool]` Body param: True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP param.Field[IPSECTunnelNewParamsBGP]` Body param - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `CustomRemoteIdentities param.Field[IPSECTunnelNewParamsCustomRemoteIdentities]` Body param - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint param.Field[string]` Body param: The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description param.Field[string]` Body param: An optional description forthe IPsec tunnel. - `HealthCheck param.Field[IPSECTunnelNewParamsHealthCheck]` Body param - `Direction IPSECTunnelNewParamsHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelNewParamsHealthCheckDirectionUnidirectional IPSECTunnelNewParamsHealthCheckDirection = "unidirectional"` - `const IPSECTunnelNewParamsHealthCheckDirectionBidirectional IPSECTunnelNewParamsHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelNewParamsHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelNewParamsHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 param.Field[string]` Body param: A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `PSK param.Field[string]` Body param: A randomly generated or provided string for use in the IPsec tunnel. - `ReplayProtection param.Field[bool]` Body param: If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelNewResponse struct{…}` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelNewResponseBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelNewResponseBGPStatus` - `State IPSECTunnelNewResponseBGPStatusState` - `const IPSECTunnelNewResponseBGPStatusStateBGPDown IPSECTunnelNewResponseBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelNewResponseBGPStatusStateBGPUp IPSECTunnelNewResponseBGPStatusState = "BGP_UP"` - `const IPSECTunnelNewResponseBGPStatusStateBGPEstablishing IPSECTunnelNewResponseBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelNewResponseCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelNewResponseHealthCheck` - `Direction IPSECTunnelNewResponseHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelNewResponseHealthCheckDirectionUnidirectional IPSECTunnelNewResponseHealthCheckDirection = "unidirectional"` - `const IPSECTunnelNewResponseHealthCheckDirectionBidirectional IPSECTunnelNewResponseHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelNewResponseHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelNewResponseHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipsecTunnel, err := client.MagicTransit.IPSECTunnels.New(context.TODO(), magic_transit.IPSECTunnelNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), CloudflareEndpoint: cloudflare.F("203.0.113.1"), InterfaceAddress: cloudflare.F("192.0.2.0/31"), Name: cloudflare.F("IPsec_1"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipsecTunnel.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false }, "success": true } ``` ## Update IPsec Tunnel `client.MagicTransit.IPSECTunnels.Update(ctx, ipsecTunnelID, params) (*IPSECTunnelUpdateResponse, error)` **put** `/accounts/{account_id}/magic/ipsec_tunnels/{ipsec_tunnel_id}` Updates a specific IPsec tunnel associated with an account. Use `?validate_only=true` as an optional query parameter to only run validation without persisting changes. ### Parameters - `ipsecTunnelID string` Identifier - `params IPSECTunnelUpdateParams` - `AccountID param.Field[string]` Path param: Identifier - `CloudflareEndpoint param.Field[string]` Body param: The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress param.Field[string]` Body param: A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name param.Field[string]` Body param: The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AutomaticReturnRouting param.Field[bool]` Body param: True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP param.Field[IPSECTunnelUpdateParamsBGP]` Body param - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `CustomRemoteIdentities param.Field[IPSECTunnelUpdateParamsCustomRemoteIdentities]` Body param - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint param.Field[string]` Body param: The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description param.Field[string]` Body param: An optional description forthe IPsec tunnel. - `HealthCheck param.Field[IPSECTunnelUpdateParamsHealthCheck]` Body param - `Direction IPSECTunnelUpdateParamsHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelUpdateParamsHealthCheckDirectionUnidirectional IPSECTunnelUpdateParamsHealthCheckDirection = "unidirectional"` - `const IPSECTunnelUpdateParamsHealthCheckDirectionBidirectional IPSECTunnelUpdateParamsHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelUpdateParamsHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelUpdateParamsHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 param.Field[string]` Body param: A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `PSK param.Field[string]` Body param: A randomly generated or provided string for use in the IPsec tunnel. - `ReplayProtection param.Field[bool]` Body param: If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelUpdateResponse struct{…}` - `Modified bool` - `ModifiedIPSECTunnel IPSECTunnelUpdateResponseModifiedIPSECTunnel` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelUpdateResponseModifiedIPSECTunnelBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatus` - `State IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusState` - `const IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusStateBGPDown IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusStateBGPUp IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusState = "BGP_UP"` - `const IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusStateBGPEstablishing IPSECTunnelUpdateResponseModifiedIPSECTunnelBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelUpdateResponseModifiedIPSECTunnelCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheck` - `Direction IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckDirectionUnidirectional IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckDirection = "unidirectional"` - `const IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckDirectionBidirectional IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelUpdateResponseModifiedIPSECTunnelHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipsecTunnel, err := client.MagicTransit.IPSECTunnels.Update( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", magic_transit.IPSECTunnelUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), CloudflareEndpoint: cloudflare.F("203.0.113.1"), InterfaceAddress: cloudflare.F("192.0.2.0/31"), Name: cloudflare.F("IPsec_1"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipsecTunnel.Modified) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "modified": true, "modified_ipsec_tunnel": { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false } }, "success": true } ``` ## Delete IPsec Tunnel `client.MagicTransit.IPSECTunnels.Delete(ctx, ipsecTunnelID, params) (*IPSECTunnelDeleteResponse, error)` **delete** `/accounts/{account_id}/magic/ipsec_tunnels/{ipsec_tunnel_id}` Disables and removes a specific static IPsec Tunnel associated with an account. Use `?validate_only=true` as an optional query parameter to only run validation without persisting changes. ### Parameters - `ipsecTunnelID string` Identifier - `params IPSECTunnelDeleteParams` - `AccountID param.Field[string]` Path param: Identifier - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the response body will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelDeleteResponse struct{…}` - `Deleted bool` - `DeletedIPSECTunnel IPSECTunnelDeleteResponseDeletedIPSECTunnel` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelDeleteResponseDeletedIPSECTunnelBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatus` - `State IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusState` - `const IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusStateBGPDown IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusStateBGPUp IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusState = "BGP_UP"` - `const IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusStateBGPEstablishing IPSECTunnelDeleteResponseDeletedIPSECTunnelBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelDeleteResponseDeletedIPSECTunnelCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheck` - `Direction IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckDirectionUnidirectional IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckDirection = "unidirectional"` - `const IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckDirectionBidirectional IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelDeleteResponseDeletedIPSECTunnelHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) ipsecTunnel, err := client.MagicTransit.IPSECTunnels.Delete( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", magic_transit.IPSECTunnelDeleteParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", ipsecTunnel.Deleted) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "deleted": true, "deleted_ipsec_tunnel": { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false } }, "success": true } ``` ## Update multiple IPsec tunnels `client.MagicTransit.IPSECTunnels.BulkUpdate(ctx, params) (*IPSECTunnelBulkUpdateResponse, error)` **put** `/accounts/{account_id}/magic/ipsec_tunnels` Update multiple IPsec tunnels associated with an account. Use `?validate_only=true` as an optional query parameter to only run validation without persisting changes. ### Parameters - `params IPSECTunnelBulkUpdateParams` - `AccountID param.Field[string]` Path param: Identifier - `Body param.Field[unknown]` Body param - `XMagicNewHcTarget param.Field[bool]` Header param: If true, the health check target in the request and response bodies will be presented using the new object format. Defaults to false. ### Returns - `type IPSECTunnelBulkUpdateResponse struct{…}` - `Modified bool` - `ModifiedIPSECTunnels []IPSECTunnelBulkUpdateResponseModifiedIPSECTunnel` - `ID string` Identifier - `CloudflareEndpoint string` The IP address assigned to the Cloudflare side of the IPsec tunnel. - `InterfaceAddress string` A 31-bit prefix (/31 in CIDR notation) supporting two hosts, one for each side of the tunnel. Select the subnet from the following private IP space: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, 192.168.0.0–192.168.255.255. - `Name string` The name of the IPsec tunnel. The name cannot share a name with other tunnels. - `AllowNullCipher bool` When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2). - `AutomaticReturnRouting bool` True if automatic stateful return routing should be enabled for a tunnel, false otherwise. - `BGP IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGP` - `CustomerASN int64` ASN used on the customer end of the BGP session - `ExtraPrefixes []string` Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. - `Md5Key string` MD5 key to use for session authentication. Note that *this is not a security measure*. MD5 is not a valid security mechanism, and the key is not treated as a secret value. This is *only* supported for preventing misconfiguration, not for defending against malicious attacks. The MD5 key, if set, must be of non-zero length and consist only of the following types of character: * ASCII alphanumerics: `[a-zA-Z0-9]` * Special characters in the set `'!@#$%^&*()+[]{}<>/.,;:_-~`= |` In other words, MD5 keys may contain any printable ASCII character aside from newline (0x0A), quotation mark (`"`), vertical tab (0x0B), carriage return (0x0D), tab (0x09), form feed (0x0C), and the question mark (`?`). Requests specifying an MD5 key with one or more of these disallowed characters will be rejected. - `BGPStatus IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatus` - `State IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusState` - `const IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusStateBGPDown IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusState = "BGP_DOWN"` - `const IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusStateBGPUp IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusState = "BGP_UP"` - `const IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusStateBGPEstablishing IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsBGPStatusState = "BGP_ESTABLISHING"` - `TCPEstablished bool` - `UpdatedAt Time` - `BGPState string` - `CfSpeakerIP string` - `CfSpeakerPort int64` - `CustomerSpeakerIP string` - `CustomerSpeakerPort int64` - `CreatedOn Time` The date and time the tunnel was created. - `CustomRemoteIdentities IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsCustomRemoteIdentities` - `FqdnID string` A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The generated IKE IDs can still be used even if this custom value is specified. Must be of the form `..custom.ipsec.cloudflare.com`. This custom ID does not need to be unique. Two IPsec tunnels may have the same custom fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels cannot have the same cloudflare_endpoint. - `CustomerEndpoint string` The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work. - `Description string` An optional description forthe IPsec tunnel. - `HealthCheck IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheck` - `Direction IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckDirection` The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. - `const IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckDirectionUnidirectional IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckDirection = "unidirectional"` - `const IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckDirectionBidirectional IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckDirection = "bidirectional"` - `Enabled bool` Determines whether to run healthchecks for a tunnel. - `Rate HealthCheckRate` How frequent the health check is run. The default value is `mid`. - `const HealthCheckRateLow HealthCheckRate = "low"` - `const HealthCheckRateMid HealthCheckRate = "mid"` - `const HealthCheckRateHigh HealthCheckRate = "high"` - `Target IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckTargetUnion` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. - `type IPSECTunnelBulkUpdateResponseModifiedIPSECTunnelsHealthCheckTargetMagicHealthCheckTarget struct{…}` The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customer_gre_endpoint address`. This field is ignored for bidirectional healthchecks as the interface_address (not assigned to the Cloudflare side of the tunnel) is used as the target. - `Effective string` The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. - `Saved string` The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. - `UnionString` - `Type HealthCheckType` The type of healthcheck to run, reply or request. The default value is `reply`. - `const HealthCheckTypeReply HealthCheckType = "reply"` - `const HealthCheckTypeRequest HealthCheckType = "request"` - `InterfaceAddress6 string` A 127 bit IPV6 prefix from within the virtual_subnet6 prefix space with the address being the first IP of the subnet and not same as the address of virtual_subnet6. Eg if virtual_subnet6 is 2606:54c1:7:0:a9fe:12d2::/127 , interface_address6 could be 2606:54c1:7:0:a9fe:12d2:1:200/127 - `ModifiedOn Time` The date and time the tunnel was last modified. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. - `ReplayProtection bool` If `true`, then IPsec replay protection will be supported in the Cloudflare-to-customer direction. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.MagicTransit.IPSECTunnels.BulkUpdate(context.TODO(), magic_transit.IPSECTunnelBulkUpdateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Body: map[string]interface{}{ }, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.Modified) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "modified": true, "modified_ipsec_tunnels": [ { "id": "c4a7362d577a6c3019a474fd6f485821", "cloudflare_endpoint": "203.0.113.1", "interface_address": "192.0.2.0/31", "name": "IPsec_1", "allow_null_cipher": true, "automatic_return_routing": true, "bgp": { "customer_asn": 0, "extra_prefixes": [ "string" ], "md5_key": "md5_key" }, "bgp_status": { "state": "BGP_DOWN", "tcp_established": true, "updated_at": "2019-12-27T18:11:19.117Z", "bgp_state": "bgp_state", "cf_speaker_ip": "192.168.1.1", "cf_speaker_port": 1, "customer_speaker_ip": "192.168.1.1", "customer_speaker_port": 1 }, "created_on": "2017-06-14T00:00:00Z", "custom_remote_identities": { "fqdn_id": "fqdn_id" }, "customer_endpoint": "203.0.113.1", "description": "Tunnel for ISP X", "health_check": { "direction": "bidirectional", "enabled": true, "rate": "low", "target": { "effective": "203.0.113.1", "saved": "203.0.113.1" }, "type": "request" }, "interface_address6": "2606:54c1:7:0:a9fe:12d2:1:200/127", "modified_on": "2017-06-14T05:20:00Z", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" }, "replay_protection": false } ] }, "success": true } ``` ## Generate Pre Shared Key (PSK) for IPsec tunnels `client.MagicTransit.IPSECTunnels.PSKGenerate(ctx, ipsecTunnelID, params) (*IPSECTunnelPSKGenerateResponse, error)` **post** `/accounts/{account_id}/magic/ipsec_tunnels/{ipsec_tunnel_id}/psk_generate` Generates a Pre Shared Key for a specific IPsec tunnel used in the IKE session. Use `?validate_only=true` as an optional query parameter to only run validation without persisting changes. After a PSK is generated, the PSK is immediately persisted to Cloudflare's edge and cannot be retrieved later. Note the PSK in a safe place. ### Parameters - `ipsecTunnelID string` Identifier - `params IPSECTunnelPSKGenerateParams` - `AccountID param.Field[string]` Path param: Identifier - `Body param.Field[unknown]` Body param ### Returns - `type IPSECTunnelPSKGenerateResponse struct{…}` - `IPSECTunnelID string` Identifier - `PSK string` A randomly generated or provided string for use in the IPsec tunnel. - `PSKMetadata PSKMetadata` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/magic_transit" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) response, err := client.MagicTransit.IPSECTunnels.PSKGenerate( context.TODO(), "023e105f4ecef8ad9ca31a8372d0c353", magic_transit.IPSECTunnelPSKGenerateParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Body: map[string]interface{}{ }, }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", response.IPSECTunnelID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "ipsec_tunnel_id": "023e105f4ecef8ad9ca31a8372d0c353", "psk": "O3bwKSjnaoCxDoUxjcq4Rk8ZKkezQUiy", "psk_metadata": { "last_generated_on": "2017-06-14T05:20:00Z" } }, "success": true } ``` ## Domain Types ### PSK Metadata - `type PSKMetadata struct{…}` The PSK metadata that includes when the PSK was generated. - `LastGeneratedOn Time` The date and time the tunnel was last modified.